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Summary 

In  the  wake  of  the  economic  downturn,  policymakers  are  increasingly  concerned  with  securing 
the  economic  health  of  the  United  States — including  combating  those  crimes  that  threaten  to 
further  undermine  the  nation’s  financial  stability.  Identity  theft  is  one  such  crime.  It  is  the  fastest 
growing  type  of  fraud  in  the  United  States;  in  2009  about  11.1  million  Americans  were  reportedly 
victims  of  identity  theft,  an  increase  of  about  12%  from  the  number  of  cases  in  2008.  In  addition, 
the  Federal  Trade  Commission  (FTC)  estimates  that  it  costs  consumers  about  $50  billion 
annually.  Identity  theft  is  often  committed  to  facilitate  other  crimes  such  as  credit  card  fraud, 
document  fraud,  or  employment  fraud,  which  in  turn  can  affect  not  only  the  nation’s  economy  but 
its  security.  Consequently,  in  securing  the  nation  and  its  economic  health,  policymakers  are  also 
tasked  with  reducing  identity  theft  and  its  impact. 

Congress  continues  to  debate  the  federal  government’s  role  in  (1)  preventing  identity  theft  and  its 
related  crimes,  (2)  mitigating  the  potential  effects  of  identity  theft  after  it  occurs,  and  (3) 
providing  the  most  effective  tools  to  investigate  and  prosecute  identity  thieves.  With  respect  to 
preventing  identity  theft,  one  issue  concerning  policymakers  is  the  prevalence  of  personally 
identifiable  information — and  in  particular,  the  prevalence  of  social  security  numbers  (SSNs) — in 
both  the  private  and  public  sectors.  One  policy  option  to  reduce  their  prevalence  may  involve 
restricting  the  use  of  SSNs  on  government-issued  documents  such  as  Medicare  identification 
cards.  Another  option  could  entail  providing  federal  agencies  with  increased  regulatory  authority 
to  curb  the  prevalence  of  SSN  use  in  the  private  sector.  In  debating  policies  to  mitigate  the  effects 
of  identity  theft,  one  option  Congress  may  consider  is  whether  to  strengthen  data  breach 
notification  requirements.  Such  requirements  could  affect  the  notification  of  relevant  law 
enforcement  authorities  as  well  as  any  individuals  whose  personally  identifiable  information  may 
be  at  risk  from  the  breach. 

There  have  already  been  several  legislative  and  administrative  actions  aimed  at  curtailing  identity 
theft.  Congress  enacted  legislation  naming  identity  theft  as  a  federal  crime  in  1998  (P.L.  105- 
318)  and  later  provided  for  enhanced  penalties  for  aggravated  identity  theft  (P.L.  108-275).  In 
April  2007,  the  President’s  Identity  Theft  Task  Force  issued  recommendations  to  combat  identity 
theft,  including  specific  legislative  recommendations  to  close  identity  theft-related  gaps  in  the 
federal  criminal  statutes.  In  a  further  attempt  to  curb  identity  theft.  Congress  directed  the  FTC  to 
issue  an  Identity  Theft  Red  Flags  Rule  (effective  June  1,  2010),  requiring  that  creditors  and 
financial  institutions  with  specified  account  types  develop  and  institute  written  identity  theft 
prevention  programs. 

Multiple  federal  agencies,  including  the  Federal  Bureau  of  Investigation;  U.S.  Secret  Service; 

U.S.  Postal  Inspection  Service;  U.S.  Immigration  and  Customs  Enforcement;  and  Social  Security 
Administration,  Office  of  the  Inspector  General,  are  involved  in  investigating  identity  theft. 
Further,  prosecutions  and  convictions  of  identity  theft  and  aggravated  identity  theft  cases  have 
continued  to  increase  since  becoming  federal  crimes.  In  line  with  this  trend,  there  has  been  a 
general  increase  in  the  number  of  identity  theft  complaints  to  the  FTC  as  well  as  in  the  number  of 
reported  data  breaches  placing  personally  identifiable  information  at  risk. 

This  report  will  be  updated  as  needed. 
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Introduction 

In  the  wake  of  the  economic  downturn,  policymakers  are  increasingly  concerned  with  securing 
the  economic  health  of  the  United  States — including  combating  those  crimes  that  threaten  to 
further  undermine  the  nation’s  financial  stability.  *  Identity  theft,  for  one,  poses  both  economic  and 
security  risks.  It  is  the  fastest  growing  type  of  fraud  in  the  United  States,  and  the  Federal  Trade 
Commission  (FTC)  estimates  that  identity  theft  costs  consumers  about  $50  billion  annually.^  FTC 
complaint  data  indicate  that  the  most  common  fraud  complaint  received  (21%  of  all  consumer 
fraud  complaints)  is  that  of  identity  theft. ^  In  2009,  for  instance,  about  11.1  million  Americans 
were  reportedly  victims  of  identity  theft.  This  is  an  increase  of  about  12%  over  the  approximately 
9.9  million  who  were  victimized  in  2008."^  According  to  the  FTC’s  most  recent  (2005)  survey  on 
identity  theft,  approximately  8.3%  of  the  United  States’  adult  population  may  have  fallen  victim 
to  identity  theft.^  With  recent  data  indicating  that  the  number  of  identity  theft  incidents  is  on  the 
rise,  the  current  proportion  of  the  population  falling  victim  to  identity  theft  may  be  even  higher 
than  the  level  estimated  by  the  FTC  in  2005. 

An  increase  in  globalization  and  a  lack  of  cyber  borders  provide  an  environment  ripe  for  identity 
thieves  to  operate  from  within  the  nation’s  borders — as  well  as  from  beyond.  Federal  law 
enforcement  is  thus  challenged  with  investigating  criminals  who  may  or  may  not  be  operating 
within  U.S.  borders;  may  have  numerous  identities — actual,  stolen,  or  cyber;  and  may  be  acting 
alone  or  as  part  of  a  sophisticated  criminal  enterprise.  In  addition,  identity  theft  is  often 
interconnected  with  various  other  criminal  activities.  These  activities  range  from  credit  card  and 
bank  fraud  to  immigration  and  employment  fraud.  In  turn,  the  effects  felt  by  individuals  and 
businesses  who  have  fallen  prey  to  identity  thieves  extend  outside  of  pure  financial  burdens; 
identity  thieves  affect  not  only  the  nation’s  economic  health,  but  its  national  security  as  well. 
Consequently,  policymakers  may  debate  the  federal  government’s  role  in  preventing  identity  theft 
and  its  related  crimes,  mitigating  the  potential  effects  of  identity  theft  after  it  occurs,  and 
providing  the  most  effective  tools  to  investigate  and  prosecute  identity  thieves. 

This  report  first  provides  a  brief  federal  legislative  history  of  identity  theft  laws.  It  analyzes  the 
current  trends  in  identity  theft,  including  prevalent  identity  theft-related  crimes,  the  federal 
agencies  involved  in  combating  identity  theft,  and  the  trends  in  identity  theft  complaints  and 
prosecutions.  The  report  also  discusses  the  relationship  between  data  breaches  and  identity  theft 
as  well  as  possible  effects  of  the  FTC’s  Identity  Theft  Red  Flags  Rule,  effective  June  1,  2010.  It 


*  U.S.  Congress,  Senate  Committee  on  the  Judiciary,  Fraud  Enforcement  and  Recovery  Act  of 2009,  report  to 
accompany  S.  386,  111*  Cong.,  U‘  sess.,  March  23,  2009,  111-10  (Washington:  GPO,  2009), 
http://lrwehgate.access.gpo.gov/cgi-hin/getdoc.cgi?dhname=lll_cong_reports&docid=f:sr010.pdf. 

^  As  referenced  in  Nikki  Swartz,  “Will  Red  Flags  Detour  ID  Theft?”  Information  Management  Journal,  vol.  43,  no.  1 
(Jan/Feh  2009),  pp.  38-41.  In  addition  to  the  costs  incurred  by  consumers,  identity  theft  presents  cost  burdens  to  the 
financial  services  industry  as  well.  However,  this  cost  is  unclear.  CRS  was  unable  to  locate  any  comprehensive,  reliable 
data  on  the  costs  of  identity  theft  (separate  from  the  total  cost  of  financial  fraud)  to  the  financial  services  industry. 

^  Federal  Trade  Commission,  Consumer  Sentinel  Network  Data  Book  for  January  —  December,  2009,  February,  2010, 
http://www.ftc.gOv/sentinel/reporfs/sentinel-annual-reporfs/sentinel-cy2009.pdf. 

Javelin  Strategy  &  Research,  “Javelin  Study  Finds  Identity  Fraud  Reached  New  High  in  2009,  but  Consumers  are 
Fighting  Back,”  press  release,  February  10,  2010,  https://www.javelinstrategy.com/news/83I/92/JaveIin-Study-Finds- 
Identity-Fraud-Reached-New-High-in-2009-but-Consumers-are-Fighting-Back/d,pressRoomDetail. 

^  Federal  Trade  Commission,  2006  Identity  Theft  Survey  Report,  November  2007,  http://www.ftc.gOv/os/2007/l  1/ 
S5TiovateFinalReportIDTheft2006.pdf. 
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also  examines  current  legislation  on  identity  theft  and  possible  issues  for  the  111* *  Congress  to 
consider. 

Definitions  of  Identity  Theft 

When  does  taking  and  using  someone  else’s  identity  become  a  crime?  Current  federal  law  defines 
identity  theft  as  a  federal  crime  when  someone 

knowingly  transfers,  possesses,  or  uses,  without  lawful  authority,  a  means  of  identification  of 
another  person  with  the  intent  to  commit,  or  to  aid  or  abet,  or  in  connection  with,  any 
unlawful  activity  that  constitutes  a  violation  of  Federal  law,  or  that  constitutes  a  felony  under 
any  applicable  State  or  local  law.^ 

The  current  federal  law  also  provides  enhanced  penalties  for  aggravated  identity  theft  when 
someone  “knowingly  transfers,  possesses,  or  uses,  without  lawful  authority,  a  means  of 
identification  of  another  person”  in  the  commission  of  particular  felony  violations.^  Aggravated 
identity  theft  carries  an  enhanced  two-year  prison  sentence  for  most  specified  crimes  and  an 
enhanced  five-year  sentence  for  specified  terrorism  violations. 

Identity  theft  is  also  defined  in  the  Code  of  Federal  Regulations  (CFR)  as  “fraud  committed  or 
attempted  using  the  identifying  information  of  another  person  without  permission.”^  Identity  theft 
can  both  facilitate  and  be  facilitated  by  other  crimes.  For  example,  identity  theft  may  make 
possible  crimes  such  as  bank  fraud,  document  fraud,  or  immigration  fraud,  and  it  may  be  aided  by 
crimes  such  as  theft  in  the  form  of  robbery  or  burglary.^  Therefore,  one  of  the  primary  challenges 
in  analyzing  the  trends  in  identity  theft  (e.g.,  offending,  victimization,  or  prosecution  rates) — as 
well  as  the  policy  issues  that  Congress  may  wish  to  consider — arises  from  this  interconnectivity 
between  identity  theft  and  other  crimes. 


*  18U.S.C.  §  1028(a)(7). 

^  These  felony  violations  as  outlined  in  18  U.S.C.  §  1028A  include  theft  of  public  money,  property,  or  records;  theft, 
embezzlement,  or  misapplication  by  bank  officer  or  employee  theft  from  employee  benefit  plans;  false  personation  of 
citizenship;  false  statements  in  connection  with  the  acquisition  of  a  firearm;  fraud  and  false  statements;  mail,  bank,  and 
wire  fraud;  specified  nationality  and  citizenship  violations;  specified  passport  and  visa  violations;  obtaining  customer 
information  by  false  pretenses;  specified  violations  the  Immigration  and  Nationality  Act  relating  to  willfully  failing  to 
leave  the  United  States  after  deportation  and  creating  a  counterfeit  alien  registration  card  and  various  other  immigration 
offenses;  specified  violations  of  the  Social  Security  Act  relating  to  false  statements  relating  to  programs  under  the  Act; 
and  specified  terrorism  violations.  The  basic  penalty  for  identity  theft  under  18  U.S.C.  §  1028  ranges  from  not  more 
than  5  years  imprisonment  to  not  more  than  30  years,  depending  on  the  circumstances. 

*  According  to  the  CFR  definitional  section  for  the  Fair  Credit  Reporting  Act  (16  C.F.R.  §  603.2),  “[t]he  term 

‘  ‘identif3dng  information’  ’  means  any  name  or  number  that  may  be  used,  alone  or  in  conjunction  with  any  other 
information,  to  identify  a  specific  person,  including  any — (1)  Name,  social  security  number,  date  of  birth,  official  State 
or  government  issued  driver’s  license  or  identification  number,  alien  registration  number,  government  passport  number, 
employer  or  taxpayer  identification  number;  (2)  Unique  biometric  data,  such  as  fingerprint,  voice  print,  retina  or  iris 
image,  or  other  unique  physical  representation;  (3)  Unique  electronic  identification  number,  address,  or  routing  code;  or 
(4)  Telecommunication  identifying  information  or  access  device  (as  defined  in  18  U.S.C.  1029(e)).” 

^  Graeme  R.  Newman  and  Megan  M.  McNally,  “Identity  Theft  Literature  Review,”  Prepared  for  presentation  and 
discussion  at  the  National  Institute  of  Justice  Focus  Group  Meeting  to  develop  a  research  agenda  to  identify  the  most 
effective  avenues  of  research  that  will  impact  on  prevention,  harm  reduction  and  enforcement,  Contract  #2005-TO-008, 
January  2005,  http://www.ncjrs.gov/pdffilesl/nij/grants/210459.pdf 
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Theft  vs.  Fraud 

Identity  theft  and  identity  fraud  are  terms  that  are  often  used  interchangeably.  Identity  fraud'®  is 
the  umbrella  term  that  refers  to  a  number  of  crimes  involving  the  use  of  false  identification — 
though  not  necessarily  a  means  of  identification  belonging  to  another  person.  Identity  theft  is  the 
specific  form  of  identity  fraud  that  involves  using  the  personally  identifiable  information  of 
someone  else.  Both  identity  fraud  and  identity  theft  are  crimes  often  committed  in  connection 
with  other  violations,  as  mentioned  above.  Identity  theft,  however,  may  involve  an  added  element 
of  victimization,  as  this  form  of  fraud  may  directly  affect  the  life  of  the  victim  whose  identity  was 
stolen  in  addition  to  defrauding  third  parties  (such  as  the  government,  employers,  consumers, 
financial  institutions,  and  health  care  and  insurance  providers,  just  to  name  a  few).  This  report, 
however,  maintains  a  focus  on  identity  theft  rather  than  the  broader  term  of  identity  fraud. 


Knowledge  Element 

Another  definitional  issue  is  one  that  was  recently  before  the  U.S.  Supreme  Court.  The  statutory 
definitions  of  identity  theft  and  aggravated  identity  theft  indicate  that  they  are  crimes  when 
someone  ‘"knowingly  transfers,  possesses,  or  uses,  without  lawful  authority,  a  means  of 
identification  of  another  person”  in  conjunction  with  specified  felony  violations  outlined  in  the 
U.S.  Code.  The  definitional  element  under  question  was  the  word  “knowingly.”  In  Flores- 
Figueroa  v.  United  States,  the  Court  decided  that  in  order  to  be  found  guilty  of  aggravated 
identity  theft,  a  defendant  must  have  knowledge  that  the  means  of  identification  he  used  belonged 
to  another  individual. "  It  is  not  sufficient  to  only  have  knowledge  that  the  means  of  identification 
used  was  not  his  own.  Although  the  case  before  the  Court  specifically  involved  aggravated 
identity  theft,  the  issue  may  apply  to  the  identity  theft  statute  as  well,  due  to  its  overlap  in 
wording  about  the  element  of  knowledge. 

Since  the  Court  has  issued  its  final  decision  in  Flores-Figueroa  v.  United  States,  Congress  may 
wish  to  consider  whether  there  is  a  need  to  clarify  the  difference  between  these  two  types  of 
knowledge  in  the  U.S.  Code.  If  a  clarification  is  warranted.  Congress  may  wish  to  consider 
whether  the  identity  theft  and  aggravated  identity  theft  statutes  should  be  amended  to  reflect  the 
definitions  of  both  types  of  knowledge. 


Legislative  History^^ 

Until  1998,  identity  theft  was  not  a  federal  crime.  Leading  up  to  Congress  designating  identity 
theft  as  a  federal  crime,  identity  fraud  was  on  the  rise,  and  the  Internet  was  increasingly  being 


Identity  fraud  became  a  federal  crime  through  the  False  Identification  Crime  Control  Act  of  1982  (P.L.  97-398),  and 
it  is  codified  at  18  U.S.C.  §  1028. 

**  Flores-Figueroa  v.  United  States,  129  S.  Ct.  1186  (2009). 

The  legislation  described  in  this  section  covers  those  Acts  directly  related  to  the  identity  theft  statutes.  Other  statutes, 
such  as  the  credit  reporting  statutes,  indirectly  address  identity  theft  by  possibly  assisting  victims,  however,  they  are  not 
discussed  here.  For  more  information  on  the  scope  of  federal  laws  relating  to  identity  theft,  see  CRS  Report  RL31919, 
Federal  Laws  Related  to  Identity  Theft,  by  Gina  Stevens.  See  also  CRS  Report  RL3 1 666,  Fair  Credit  Reporting  Act: 
Rights  and  Responsibilities,  by  Margaret  Mikyung  Lee. 

The  first  state  to  enact  an  identity  theft  law  was  Arizona  in  1996. 


Congressional  Research  Service 


3 


Identity  Theft:  Trends  and  Issues 


used  as  a  method  of  defrauding  innocent  victims.  Law  enforcement  and  policymakers  suggested 
that  the  current  laws  at  the  time  were  ineffective  at  combating  the  growing  prevalence  of  identity 
theft;  the  laws  were  not  keeping  up  with  technology,  and  stronger  laws  were  needed  to 
investigate  and  punish  identity  thieves.'^  In  addition,  policymakers  also  suggested  that  industries 
that  handled  records  containing  individuals’  personally  identifiable  information — such  as  credit, 
medical,  and  criminal  records — needed  superior  methods  to  ensure  the  validity  of  the  information 
they  collected  and  utilized. 


Identity  Theft  Assumption  Deterrence  Act 

In  1998,  Congress  passed  the  Identity  Theft  Assumption  Deterrence  Act  (P.L.  105-318),  which 
criminalized  identity  theft  at  the  federal  level.  In  addition  to  making  identity  theft  a  crime,  this 
Act  provided  penalties  for  individuals  who  either  committed  or  attempted  to  commit  identity  theft 
and  provided  for  forfeiture  of  property  used  or  intended  to  be  used  in  the  fraud.  It  also  directed 
the  Federal  Trade  Commission  (FTC)  to  record  complaints  of  identity  theft,  provide  victims  with 
informational  materials,  and  refer  complaints  to  the  appropriate  consumer  reporting  and  law 
enforcement  agencies.  The  FTC  now  records  consumer  complaint  data  and  reports  it  in  the 
Identity  Theft  Data  Clearinghouse;  identity  theft  complaint  data  are  available  for  2000  and 
forward. 


Identity  Theft  Penalty  Enhancement  Act 

Congress  further  strengthened  the  federal  government’s  ability  to  prosecute  identity  theft  with  the 
passage  of  the  Identity  Theft  Penalty  Enhancement  Act  (P.L.  108-275).*’  This  Act  established 
penalties  for  aggravated  identity  theft,  in  which  a  convicted  perpetrator  could  receive  additional 
penalties  (two  to  five  years’  imprisonment)  for  identity  theft  committed  in  relation  to  other  federal 
crimes.  Examples  of  such  federal  crimes  include  theft  of  public  property,  theft  by  a  bank  officer 
or  employee,  theft  from  employee  benefit  plans,  false  statements  regarding  Social  Security  and 
Medicare  benefits,  several  fraud  and  immigration  offenses,  and  specified  felony  violations 
pertaining  to  terrorist  acts. 


Identity  Theft  Enforcement  and  Restitution  Act  of  2008 

Most  recently.  Congress  enhanced  the  identity  theft  laws  by  passing  the  Identity  Theft 
Enforcement  and  Restitution  Act  of  2008  (Title  II  of  P.L.  110-326).  Among  other  elements,  the 
Act  authorized  restitution  to  identity  theft  victims  for  their  time  spent  recovering  from  the  harm 
caused  by  the  actual  or  intended  identity  theft. 


Before  identity  theft  became  a  federal  crime,  identity  fraud  had  been  established  as  a  crime  in  the  False  Identification 
Crime  Conhol  Act  of  1982  (P.L.  97-398).  However,  the  identity  fraud  statute  did  not  contain  a  specific  theft  provision. 

From  remarks  James  Bauer,  Deputy  Assistant  Director,  Office  of  Investigations,  U.S.  Secret  Service,  before  the  U.S. 
Congress,  Senate  Committee  on  the  Judiciai'y,  Subcommittee  on  Technology,  Terrorism,  and  Government  Information, 
The  Identity  Theft  and  Assumption  Deterrence  Act,  105”’  Cong.,  2'”*  sess..  May  20,  1998. 

**  Unless  otherwise  noted  in  this  report,  all  dates  refer  to  calendar  years  rather  than  fiscal  years. 

Aggravated  Identity  Theft  is  codified  at  18  U.S.C.  §  i028A. 
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Identity  Theft  Task  Force 

In  addition  to  congressional  efforts  to  combat  identity  theft,  there  have  been  administrative  efforts 
as  well.  The  President’s  Identity  Theft  Task  Force  (Task  Force)  was  established  in  May  2006  by 
Executive  Order  13402.'^  The  Task  Force  was  created  to  coordinate  federal  agencies  in  their 
efforts  against  identity  theft,  and  it  was  charged  with  creating  a  strategic  plan  to  combat  (increase 
awareness  of,  prevent,  detect,  and  prosecute)  identity  theft.  It  was  composed  of  representatives 
from  17  federal  agencies.’^ 


Recommendations 

In  April  2007,  the  Task  Force  authored  a  Strategic  Plan  for  combating  identity  theft  in  which  it 
made  recommendations  in  four  primary  areas: 

•  preventing  identity  theft  by  keeping  consumer  data  out  of  criminals’  hands, 

•  preventing  identity  theft  by  making  it  more  difficult  for  criminals  to  misuse 
consumer  data, 

•  assisting  victims  in  detecting  and  recovering  from  identity  theft,  and 

•  deterring  identity  theft  by  increasing  the  prosecution  and  punishment  of  identity 
thieves. 

With  respect  to  identity  theft  prevention,  the  Task  Force  suggested  that  decreasing  the  use  of 
social  security  numbers  (SSNs)  in  the  public  sector  and  reviewing  the  use  of  SSNs  in  the  private 
sector  could  help  prevent  identity  theft.  Also,  the  Task  Force  suggested  that  educating  employers 
and  individuals  on  how  to  safeguard  data,  as  well  as  establishing  national  data  protection  and 
breach  notification  standards,  could  further  aid  in  preventing  identity  theft. 

Relating  to  victim  assistance,  the  Task  Force  suggested  that  identity  theft  victims  may  be  better 
served  if  first  responders  were  specially  trained  to  assist  this  particular  class  of  victim.  It  also 
addressed  victim  redress  by  recommending  that  identity  theft  victims  be  able  to  obtain  an 
alternative  identification  document  after  the  theft  of  their  identities.  Through  the  Identity  Theft 
Enforcement  and  Restitution  Act  of  2008  (Title  II  of  P.L.  110-326),  Congress  responded  to  the 
Task  Eorce’s  recommendation  that  criminal  restitution  statutes  allow  victims  to  be  compensated 
for  their  time  in  recovering  from  the  actual  or  attempted  identity  theft. 


Executive  Order  13402,  “Strengthening  Federal  Efforts  To  Protect  Against  Identity  Theft,”  71  Federal  Register  93, 
May  15,  2006. 

Members  of  the  Task  Force  included  the  Attorney  General  (chair),  the  Chairman  of  the  Federal  Trade  Commission 
(co-chair),  the  Secretary  of  the  Treasury,  the  Secretary  of  Commerce,  the  Secretary  of  Health  and  Human  Services,  the 
Secretary  of  Veterans  Affairs,  the  Secretary  of  Homeland  Security,  the  Director  of  the  Office  of  Management  and 
Budget,  the  Commissioner  of  Social  Security,  the  Chairman  of  the  Board  of  Governors  of  the  Federal  Reserve  System, 
the  Chairperson  of  the  Board  of  Directors  of  the  Federal  Deposit  Insurance  Corporation,  the  Comptroller  of  the 
Currency,  the  Director  of  the  Office  of  Thrift  Supervision,  the  Chairman  of  the  National  Credit  Union  Administration 
Board,  the  Postmaster  General,  the  Director  of  the  Office  of  Personnel  Management,  and  the  Chairman  of  the  Securities 
and  Exchange  Commission. 

The  President’s  Identity  Theft  Task  Force,  Combating  Identity  Theft:  A  Strategic  Plan,  April  23,  2007,  at 
http://www.identitytheft.gov/reports/StrategicPlan.pdf. 
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Regarding  identity  theft  deterrence,  the  Task  Force  recommended  enhancing  information 
gathering  and  sharing  between  domestic  law  enforcement  agencies  and  the  private  sector, 
ramping  up  identity  theft  training  for  law  enforcement  and  prosecutors,  and  increasing 
enforcement  and  prosecution  of  identity  theft.  The  Task  Force  also  promoted  international 
cooperation  to  decrease  identity  theft  through  identifying  countries  that  may  he  safe  havens  for 
identity  thieves,  encouraging  anti-identity  theft  legislation  in  other  countries,  and  increasing 
international  cooperation  in  the  investigation  and  prosecution  of  identity  theft. 


Legislative  Recommendations 

More  specifically,  the  Task  Force  recommended  that  Congress  close  gaps  in  the  federal  criminal 
statues  to  more  effectively  prosecute  and  punish  identity  theft-related  offenses  hy 

•  amending  the  identity  theft  and  aggravated  identity  theft  statutes  so  that  thieves 
who  misappropriate  the  identities  of  corporations  and  organizations — and  not  just 
the  identities  of  individuals — can  he  prosecuted, 

•  amending  the  aggravated  identity  theft  statute  hy  adding  new  crimes  as  predicate 
offenses  for  aggravated  identity  theft  violations, 

•  amending  the  statute  criminalizing  the  theft  of  electronic  data  hy  eliminating 
provisions  requiring  that  the  information  he  stolen  through  interstate 
communications , 

•  amending  the  computer  fraud  statute  hy  eliminating  the  requirement  that  damage 
to  a  victim’s  computer  exceed  $5,000, 

•  amending  the  cyher-extortion  statute  hy  expanding  the  definition  of  cyher- 
extortion,  and 

•  ensuring  that  the  Sentencing  Commission  allows  for  enhanced  sentences  imposed 
on  identity  thieves  whose  actions  affect  multiple  victims.^* 

Congress  has  already  taken  steps  to  address  some  of  these  Task  Force  recommendations.  Through 
the  Identity  Theft  Enforcement  and  Restitution  Act  of  2008  (Title  II  of  P.L.  110-326),  Congress, 
among  other  things,  eliminated  provisions  in  the  U.S.  Code  requiring  the  illegal  conduct  to 
involve  interstate  or  foreign  communication,  eliminated  provisions  requiring  that  damage  to  a 
victim’s  computer  amass  to  $5,000,  and  expanded  the  definition  of  cyher-extortion. 

However,  Congress  has  not  yet  addressed  the  Task  Force  recommendation  to  expand  the  identity 
theft  and  aggravated  identity  theft  statutes  to  apply  to  corporations  and  organizations  as  well  as  to 
individuals,  nor  has  it  addressed  the  recommendation  to  expand  the  list  of  predicate  offenses  for 
aggravated  identity  theft.  Issues  surrounding  these  recommendations  are  analyzed  in  the  section 
“Potential  Issues  for  Congress.” 


21 


Ibid. 
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Red  Flags  Rule^^ 

The  Identity  Theft  Red  Flags  Rule,  issued  in  2007,  requires  creditors  and  financial  institutions  to 
implement  identity  theft  prevention  programs.  It  is  implemented  pursuant  to  the  Fair  and  Accurate 
Credit  Transactions  (FACT)  Act  of  2003  (RL.  108-159).  The  FACT  Act  amended  the  Fair  Credit 
Reporting  Act  (FCRA)^^  hy  directing  the  FTC,  along  with  the  federal  hanking  agencies  and  the 
National  Credit  Union  Administration,  to  develop  Red  Flags  guidelines.  These  guidelines  require 
creditors^"^  and  financial  institutions^^  with  “covered  accounts”^®  to  develop  and  institute  written 
identity  theft  prevention  programs.  According  to  the  FTC,  the  identity  theft  prevention  programs 
required  hy  the  rule  must  provide  for 

•  identifying  patterns,  practices,  or  specific  activities — known  as  “red  flags” — that 
could  indicate  identity  theft  and  then  incorporating  those  red  flags  into  the 
identity  theft  prevention  program; 

•  detecting  those  red  flags  that  have  been  incorporated  into  the  identity  theft 
prevention  program; 

•  responding  to  the  detection  of  red  flags;  and 

•  updating  the  identity  theft  prevention  program  periodically  to  reflect  any  changes 
in  identity  theft  risks. 

Possible  “red  flags”  could  include 

•  alerts,  notifications,  or  warnings  from  a  consumer  reporting  agency; 

•  suspicious  documents; 

•  suspicious  personally  identifiable  information,  such  as  a  suspicious  address; 


The  Red  Hags  Rule  is  listed  in  the  Code  of  Federal  Regulations  at  16  C.F.R.  §  681.2.  The  Red  Hags  Rule  was  issued 
jointly  hy  the  FTC;  the  Office  of  the  Comptroller  of  the  Currency,  Treasury;  the  Board  of  Governors  of  the  Federal 
Reserve  System;  the  Federal  Deposit  Insurance  Corporation;  the  Office  of  Thrift  Supervision,  Treasury;  and  the 
National  Credit  Union  Administration.  The  final  rules  are  available  in  the  Federal  Register.  See  Department  of  the 
Treasury,  Office  of  the  Comptroller  of  the  Cunency;  Federal  Reserve  System;  Federal  Deposit  Insurance  Corporation; 
Department  of  the  Treasury,  Office  of  Thrift  Supervision;  National  Credit  Union  Administration;  Federal  Trade 
Commission,  “Identity  Theft  Red  Flags  and  Address  Discrepancies  Under  the  Fair  and  Accurate  Credit  Transactions 
Act  of  2003;  Final  Rule,”  72  Federal  Register  63718  -  63775,  November  9,  2007. 

The  FCRA  is  codified  at  15  U.S.C.  §  1681. 

Under  the  Red  Flags  Rule,  a  creditor  is  defined  as  “any  person  who  regularly  extends,  renews,  or  continues  credit; 
any  person  who  regularly  arranges  for  the  extension,  renewal,  or  continuation  of  credit;  or  any  assignee  of  an  original 
creditor  who  participates  in  the  decision  to  extend,  renew,  or  continue  credit,”  15  U.S.C.  §  1691a. 

Under  the  Red  Flags  Rule,  a  financial  institution  is  defined  as  “a  State  or  National  bank,  a  State  or  Federal  savings 
and  loan  association,  a  mutual  savings  bank,  a  State  or  Federal  credit  union,  or  any  other  person  that,  directly  or 
indirectly,  holds  a  transaction  account  (as  defined  in  section  461(b)  of  title  12)  belonging  to  a  consumer,”  15  U.S.C.  § 
1681a(t). 

A  covered  account  is  one  that  is  used  primarily  for  personal,  family,  or  household  purposes,  and  that  involves 
multiple  pa5mients  or  transactions.  These  include  credit  card  accounts,  mortgage  loans,  automobile  loans,  margin 
accounts,  cell  phone  accounts,  utility  accounts,  checking  accounts,  savings  accounts,  and  other  accounts  for  which  there 
is  a  foreseeable  risk  of  identity  theft.  The  Rule  also  requires  creditors  and  financial  institutions  to  periodically 
determine  whether  they  maintain  any  covered  accounts,  72  Federal  Register  63719. 

Federal  Trade  Commission,  “Agencies  Issue  Final  Rules  on  Identity  Theft  Red  Flags  and  Notices  of  Address 
Discrepancy,”  press  release,  October  31,  2007,  http://ftc.gov/opa/2007/10/redflag.shtm. 
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•  unusual  use  of — or  suspicious  activity  relating  to — a  covered  account;  and 

•  notices  from  customers,  victims  of  identity  theft,  law  enforcement  authorities,  or 
other  businesses  about  possible  identity  theft  in  connection  with  covered 
accounts.^* 

The  deadline  for  creditors  and  financial  institutions  to  comply  with  the  Red  Flags  Rule  was 
originally  set  at  November  1,  2008.  However,  many  of  the  organizations  affected  by  the  Red 
Flags  Rule  were  not  prepared  to  institute  their  identity  theft  prevention  programs  by  this  date. 
Therefore,  the  FTC  moved  the  deadline  to  May  1 ,  2009,^^  and  then  further  extended  the 
compliance  date  to  November  1,  2009.^°  Most  recently,  the  FTC  extended  the  enforcement  date  to 
June  1,  2010,^*  and  indicated  that  extension  was,  in  part,  a  result  of  the  debate  over  whether 
Congress  wrote  the  FACT  Act  Red  Flags  provision  too  broadly  by  including  all  entities  qualifying 
as  creditors  and  financial  institutions  (discussed  further  below). 

The  effect  that  the  Red  Flags  Rule  will  have  on  the  prevalence  of  identity  theft  remains  uncertain. 
One  potential  effect  is  that  the  Red  Flags  Rule  may  help  creditors  and  financial  institutions 
prevent  identity  theft  by  identifying  potential  lapses  in  security  or  suspicious  activities  that  could 
lead  to  identity  theft.  This  could  possibly  lead  to  an  overall  decrease  in  the  number  of  identity 
theft  incidents  reported  to  the  FTC,  as  well  as  the  number  of  identity  theft  cases  investigated  and 
prosecuted.  Once  detected,  the  Red  Flags  Rule  requires  that  the  creditor  or  financial  institution 
respond  to  the  identified  red  flag.  One  response  option  that  creditors  and  financial  institutions 
might  include  in  their  prevention  programs  is  to  notify  consumers  or  law  enforcement  of  data 
breaches  that  could  potentially  lead  to  the  theft  of  consumers’  personally  identifiable  information. 
While  notification  is  not  a  required  element  in  the  identity  theft  prevention  programs,^^  early 
notification  could  lead  to  consumers  taking  swift  action  to  prevent  identity  theft  or  mitigate  the 
severity  of  the  damage  that  could  result  if  they  had  not  been  notified  as  quickly. 

Other  questions  about  the  effects  of  the  Red  Flags  Rule  stem  not  from  its  possible  effects  on  the 
prevalence  of  identity  theft,  but  from  its  effects  on  the  approximately  11.1  million  creditors  and 
financial  institutions  required  to  implement  the  identity  theft  prevention  programs. The  FTC 
estimates  the  total  annual  labor  costs  (for  each  of  the  first  three  years  the  rule  is  in  effect)  for  all 
creditors  and  financial  institutions  covered  by  the  rule  to  be  about  $143  million.  This  financial 
burden  would  be  absorbed  by  the  responsible  creditors  and  financial  institutions.  Further,  some 
entities  considered  creditors  or  financial  institutions  under  the  rule  have  expressed  concern  that 


http://www.ftc.gOv/bcp/edu/pubs/business/alerts/alt050.shtni. 

®  Federal  Trade  Commission,  “FTC  Will  Grant  Six-Month  Delay  of  Enforcement  of  ‘Red  Hags’  Rule  Requiring 
Creditors  and  Financial  Institutions  to  Have  Identity  Theft  Prevention  Programs,”  press  release,  October  22,  2008, 
http://www.ftc.gOv/opa/2008/10/redflags.shtm. 

Federal  Trade  Commission,  “FTC  Will  Grant  Three-Month  Delay  of  Enforcement  of  ‘Red  Flags’  Rule  Requiring 
Creditors  and  Financial  Institutions  to  Adopt  Identity  Theft  Prevention  Programs,”  press  release,  April  30,  2009, 
http://www2.ftc.gOv/opa/2009/04/redflagsmle.shtm. 

Federal  Trade  Commission,  “FTC  Extends  Enforcement  Deadline  for  Identity  Theft  Red  Hags  Rule,”  press  release, 
October  30,  2009,  http://www.ftc.gov/opa/2009/10/redflags.shtm. 

The  FTC  has  published  a  guide  to  assist  businesses  in  creating  the  identity  theft  prevention  programs,  available  at 
Federal  Trade  Commission,  Fighting  Fraud  With  the  Red  Flags  Rule:  A  How-To  Guide  for  Business,  March  2009, 
http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus23.pdf. 

Identity  Theft  Red  Hags  Final  Rule,  p.  63741. 

Ibid.  Cost  estimates  are  provided  by  0MB  in  three-year  increments.  Therefore,  cost  estimates  for  subsequent  years 
are  unavailable  and  could  change  from  the  estimates  provided  for  the  first  three  years. 
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the  burden  of  the  rule  overlaps  with  burdens  already  incurred  under  other  regulations.^^  For 
example,  the  American  Bar  Association  (ABA)  has  expressed  concern  over  whether  lawyers  are 
considered  “creditors”  under  the  Red  Flags  Rule  because  they  generally  do  not  require  payment 
until  after  services  are  rendered.  On  October  29,  2009,  the  U.S.  District  Court  for  the  District  of 
Columbia  ruled  that  the  FTC’s  interpretation  of  the  Fair  and  Accurate  Credit  Transactions  Act 
overreaches,  and  its  application  to  lawyers  is  unreasonable.^®  Further,  the  American  Medical 
Association  has  indicated  that  physicians  should  be  exempt  from  the  Red  Flags  Rule  because  of 
patient  privacy  and  security  protections  required  by  the  Health  Insurance  Portability  and 
Accountability  Act  (HIPAA).^^  In  addition,  there  may  be  concern  that  to  avoid  being  considered 
creditors, some  physicians  could  possibly  require  full  payment  at  the  time  of  service  (rather  than 
allowing  deferred  payments).  This  could  in  turn  lead  to  some  patients  avoiding  potentially 
necessary  treatment  if  they  are  unable  to  pay  in  full  at  the  time  of  service;  on  the  other  hand,  the 
rule  may  have  no  effect  on  patients  seeking  medical  treatment.  Legislation  in  the  111*  Congress 
would  place  limits  on  the  “creditors”  and  “financial  institutions”  currently  covered  by  the  Red 
Flags  Rule.^^  The  actual  effects  of  the  Red  Flags  Rule — including  effects  on  identity  theft  rates  as 
well  as  any  indirect  consequences — will  not  be  evident  until  after  full  implementation  by 
creditors  and  financial  institutions.  The  111*  Congress  may  consider  monitoring  the  effects  of  the 
impending  Red  Flags  Rule  on  subsequent  identity  theft  rates. 


Trends  in  Identity  Theft 

Research  indicates  that  in  2009,  about  11.1  million  Americans  were  victims  of  identity  theft.  This 
is  an  increase  of  12%  over  the  approximately  9.9  million  who  were  victimized  in  2008."^° 
Consumer  complaints  of  identity  theft  to  the  FTC,  however,  did  not  exhibit  a  corresponding 
increase.  The  FTC  received  278,078  consumer  complaints  of  identity  theft  in  2009,  despite 
survey  data  indicating  that  about  11.1  million  people  were  actually  victimized.  This  disparity 
between  research  on  identity  theft  victimization  and  consumer  reports  could  be  a  result  of  several 
factors.  For  one,  while  some  identity  theft  victims  may  file  a  report  with  the  FTC,  others  may  file 


Legislation  has  been  introduced  in  the  111*  Congress  that  would  narrow  the  scope  of  entities  considered  “creditors” 
under  the  FACT  Act.  Fl.R.  2345,  for  example,  would  exempt  health  care  practices  with  20  or  fewer  employees  from 
being  considered  creditors  under  the  Red  Rags  Rule. 

American  Bar  Association,  “Statement  of  ABA  President  Carolyn  B.  Lamm  in  American  Bar  Association  vs. 

Federal  Trade  Commission,  ABA  Applauds  Injunction,  Summary  Judgment  in  Red  Rags  Suit,”  press  release,  October 
29,  2009,  http://www.abanet.org/abanet/media/statement/statement.cfm?releaseid=810.  A  written  decision  from  the 
U.S.  District  Court  has  not  been  issued,  and  thus  no  further  information  on  the  ruling  is  currently  available. 

Letter  from  American  Medical  Association  et  al.  to  William  E.  Kovacic,  Chairman,  U.S.  Federal  Trade  Commission, 
September  30,  2008,  http://www.ama-assn.org/amal/pub/upload/mm/31/ftc_letter20080930.pdf.  HIPAA  was  enacted 
by  P.L.  104-191.  Fore  more  information  on  FtlPAA  or  health  information  privacy,  see  CRS  Report  R40546,  The 
Privacy  and  Security  Provisions  for  Health  Information  in  the  American  Recovery  and  Reinvestment  Act  of 2009,  by 
Gina  Stevens  and  Edward  C.  Liu. 

As  mentioned  previously,  a  creditor  is  defined  as  “any  person  who  regularly  extends,  renews,  or  continues  credit;  any 
person  who  regularly  arranges  for  the  extension,  renewal,  or  continuation  of  credit;  or  any  assignee  of  an  original 
creditor  who  participates  in  the  decision  to  extend,  renew,  or  continue  credit,”  15  U.S.C.  §  1691a. 

Eor  example,  H.R.  3763,  passed  by  the  House  on  October  20,  2009,  would,  among  other  things,  exclude  health  care, 
legal,  and  accounting  practices  with  twenty  or  fewer  employees  from  the  meaning  of  a  “creditor”  under  the  Red  Rags 
Rule. 

““  Javelin  Strategy  &  Research,  “Javelin  Study  Einds  Identity  Eraud  Reached  New  High  in  2009,  but  Consumers  are 
Fighting  Back,”  press  release,  February  10,  2010,  https://www.javelinstrategy.com/news/831/92/Javelin-Study-Finds- 
Identity-Fraud-Reached-New-High-in-2009-but-Consumers-are-Fighting-Back/d,pressRoomDetail. 
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complaints  with  credit  bureaus,  while  still  others  may  file  complaints  with  law  enforcement.  Not 
all  victims,  however,  may  file  complaints  with  consumer  protection  entities,  credit  reporting 
agencies,  and  law  enforcement.  Another  possible  factor  contributing  to  the  disparity  is  that 
victims  may  not — for  any  number  of  reasons — report  an  identity  theft  incident.  These  individuals, 
however,  may  be  more  likely  to  indicate  the  incident  on  a  survey  prompting  them  about  their 
experiences  with  identity  theft  or  fraud. 

Since  the  FTC  began  recording  consumer  complaint  data  in  2000,  identity  theft  has  remained  the 
most  common  consumer  fraud  complaint.  Figure  1  illustrates  the  number  of  identity  theft 
complaints  received  by  the  FTC  between  2000  and  2009  in  relation  to  the  number  of  all  other 
fraud  complaints  received.  According  to  CRS  analysis,  since  2000,  the  number  of  identity  theft 
complaints  has  averaged  about  34%  of  the  total  number  of  consumer  complaints  received  by  the 
FTC."^' 


Figure  I.FTC  Consumer  Complaint  Data 

Identity  Theft  and  Other  Fraud  for  2000-2009 


I  □  Other  Fraud  □  Identity  Thef? 


Source:  CRS  presentation  of  FTC  Identity  Theft  Clearinghouse  data.  Annual  reports  for  each  calendar  year  are 
available  at  http://vvvvw.ftc.gov/sentinel/reports/sentinel-annual-reports/sentinel-cy2009.pdf. 

Notes:  Data  indicates  the  number  of  identity  theft  and  other  fraud  complaints  received  by  the  FTC  each 
calendar  year.  According  to  CRS  analysis,  between  2000  and  2009,  the  number  of  identity  theft  complaints  has 
averaged  about  34%  of  the  total  number  of  consumer  complaints  received  by  the  FTC.  The  percentage  has 
ranged  between  about  22%  and  about  40%. 

Not  only  has  the  proportion  of  identity  theft  complaints  remained  the  dominant  consumer  fraud 
complaint  to  the  FTC,  but  the  number  of  identity  theft  complaints  received  by  the  FTC  has 


Between  2000  and  2009,  the  proportion  of  consumer  fraud  complaints  that  are  classified  as  identity  theft  complaints 
has  ranged  from  about  22%  to  about  40%.  The  total  number  of  identity  theft  and  other  fraud  complaints  reported  to  the 
FTC  are  available  from  the  annual  Identity  Theft  Clearinghouse  Data  reports  available  at  http://www.ftc.gov/sentinel/ 
reports/sentinel-annual-reports/sentinel-cy2009.pdf. 
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generally  increased  since  the  Commission  began  recording  identity  theft  complaints  in  2000.  Of 
note,  however,  is  that  the  number  of  identity  theft  complaints  decreased  in  2009  by  almost  12%  to 
278,078.  Figure  2  illustrates  the  generally  increasing  trend  in  the  number  of  identity  theft 
complaints  reported  to  the  FTC. 

Figure  2.  FTC  Identity  Theft  Complaint  Data 

2000-2009 


Source:  CRS  presentation  of  FTC  Identity  Theft  Clearinghouse  data.  Annual  reports  for  each  calendar  year  are 
available  at  http://vvvvw.ftc.gov/sentinel/reports/sentinel-annual-reports/sentinel-cy2009.pdfl. 

Notes:  Data  indicates  the  number  of  identity  theft  complaints  received  by  the  FTC  each  calendar  year. 


Perpetrators 

Increasing  globalization  and  the  expansion  of  the  Internet  have  provided  a  challenging 
environment  for  law  enforcement  to  both  identify  and  apprehend  identity  thieves  targeting 
persons  residing  in  the  United  States.  For  one,  these  criminals  may  be  operating  from  within  U.S. 
borders  as  well  as  from  beyond.  There  is  no  publically  available  information,  however, 
delineating  the  proportion  of  identity  theft  (or  other  crimes  known  to  be  identity  theft-related) 
committed  by  domestic  and  international  criminals. Secondly,  while  some  identity  thieves 


Statistics  are  available  on  the  proportion  of  cyber-related  crimes  committed  by  perpetrators  from  various  countries. 
However,  only  a  proportion  of  those  crimes  are  identity  theft  crimes,  and  analysts  therefore  cannot  reliably  extrapolate 
the  proportion  of  identity  theft  crimes  committed  by  domestic  and  international  criminals. 


Congressional  Research  Service 


11 


Identity  Theft:  Trends  and  Issues 


operate  alone,  others  operate  as  part  of  larger  criminal  networks  or  organized  crime  syndicates. 
The  FBI  has  indicated  that  it,  for  one,  targets  identity  theft  investigations  on  larger  criminal 
networks. These  networks  may  involve  identity  thieves  located  in  various  cities  across  the 
United  States  or  in  multiple  cities  around  the  world,  and  these  criminals  may  he  victimizing  not 
only  Americans,  hut  persons  living  in  countries  across  the  glohe.  A  third  challenge  includes 
identifying  identity  thieves  operating  under  multiple  identities,  such  as  their  actual  identities, 
various  stolen  identities,  and  cyher  identities  and  nicknames. 


Investigations  and  Prosecutions 

As  mentioned  earlier,  identity  theft  is  defined  broadly,  and  it  is  directly  involved  in  a  number  of 
other  crimes  and  frauds.  As  a  result,  there  are  practical  investigative  implications  that  influence 
analysts’  abilities  to  understand  the  true  extent  of  identity  theft  in  the  United  States.  For  instance, 
only  a  proportion  (the  exact  number  of  which  is  unknown)  of  identity  theft  incidents  are  reported 
to  law  enforcement.  While  some  instances  may  be  reported  to  consumer  protection  agencies  (e.g., 
the  FTC),  credit  reporting  agencies  (e.g.,  Equifax,  Experian,  and  Trans  Union),  and  law 
enforcement  agencies,  some  instances  may  be  reported  to  only  one.  Eor  example,  the  ETC 
indicates  that  of  the  nearly  40%  of  identity  theft  complaints  that  included  information  on  whether 
the  theft  was  reported  to  law  enforcement,  72%  were  reported  to  law  enforcement."*^ 

Another  issue  that  may  affect  analysts’  abilities  to  evaluate  the  true  extent  of  identity  theft  is  that 
law  enforcement  agencies  may  not  uniformly  report  identity  theft  because  crime  incident 
reporting  forms  may  not  necessarily  contain  specific  categories  for  identity  theft.  In  addition, 
there  may  not  be  standard  procedures  for  recording  the  identity  theft  component  of  the  criminal 
violations  of  primary  concern."*^  Issues  such  as  these  may  lead  to  discrepancies  between  data 
available  on  identity  theft  reported  by  consumers,  identity  theft  reported  by  state  and  local  law 
enforcement,  and  identity  theft  investigated  and  prosecuted  by  federal  law  enforcement. 

Various  federal  agencies  are  involved  in  investigating  identity  theft,  including  the  Eederal  Bureau 
of  Investigation  (FBI),  the  United  States  Secret  Service  (USSS),  the  United  States  Postal 
Inspection  Service  (USPIS),  the  Social  Security  Administration  Office  of  the  Inspector  General 
(SSAOIG),  and  the  U.S.  Immigration  and  Customs  Enforcement  (ICE).  In  addition,  federal  law 
enforcement  agencies  may  work  on  task  forces  with  state  and  local  law  enforcement  as  well  as 
with  international  authorities  to  bring  identity  thieves  to  justice.  The  Department  of  Justice  (DOJ) 
is  responsible  for  prosecuting  federal  identity  theft  cases. 

Federal  Bureau  of  Investigation  (FBI) 

The  FBI  investigates  identity  theft  primarily  through  its  Financial  Crimes  Section.  However, 
because  the  nature  of  identity  theft  is  cross-cutting  and  may  facilitate  many  other  crimes,  identity 


Federal  Bureau  of  Investigation,  Financial  Crimes  Report  to  the  Public,  Fiscal  Year  2006,  http://www.fbi.gov/ 
publications/financial/fcs_report2006/publicrpt06.pdf. 

Federal  Trade  Commission,  Consumer  Sentinel  Network  Data  Book  for  January  —  December,  2009,  February,  2010, 
http://www.ftc.gOv/sentinel/reports/sentinel-annual-reports/sentinel-cy2009.pdf 

Graeme  R.  Newman  and  Megan  M.  McNally,  “Identity  Theft  Literature  Review,”  Prepared  for  presentation  and 
discussion  at  the  National  Institute  of  lustice  Focus  Group  Meeting  to  develop  a  research  agenda  to  identify  the  most 
effective  avenues  of  research  that  will  impact  on  prevention,  harm  reduction  and  enforcement.  Contract  #2005-TO-008, 
lanuary  2005,  http://www.ncjrs.gov/pdffilesl/nij/grants/210459.pdf 
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theft  is  investigated  in  other  sections  of  the  FBI  as  well.  The  FBI  is  involved  in  over  20  identity 
theft  task  forces  and  working  groups  around  the  country.  It  is  also  involved  in  over  80  other 
financial  crimes  task  forces,  which  may  also  investigate  cases  with  identity  theft  elements."^®  The 
FBI  focuses  its  identity  theft  crime  fighting  resources  on  those  cases  involving  organized  groups 
of  identity  thieves  and  criminal  enterprises  that  affect  a  large  number  of  victims."^’  The  FBI 
partners  with  the  National  White  Collar  Crime  Center  (NW3C)  to  form  the  Internet  Crime 
Complaint  Center  (IC3).  The  IC3  serves  the  hroad  law  enforcement  community  to  receive, 
develop,  and  refer  Internet  crime  complaints — including  those  of  identity  theft."^^  In  2008,  2.5%  of 
all  Internet  crime  complaints  received  hy  the  IC3  were  that  of  identity  theft."^^  However,  other 
complaint  categories  such  as  credit  card  fraud  and  check  fraud  may  have  involved  incidents  of 
identity  theft  as  well. 

United  States  Secret  Service  (USSS) 

The  USSS  serves  a  dual  mission  of  (1)  protecting  the  nation’s  financial  infrastructure  and 
payment  systems  to  safeguard  the  economy  and  (2)  protecting  national  leaders. In  carrying  out 
the  former  part  of  this  mission,  the  USSS  conducts  criminal  investigations  into  counterfeiting, 
financial  crimes,  computer  fraud,  and  computer-based  attacks  on  the  nation’s  financial  and  critical 
infrastructures.  The  Secret  Service  has  35  Financial  Crimes  Task  Forces  and  24  Electronic  Fraud 
Task  Forces  that  investigate  identity  theft,  among  with  numerous  other  crimes.  In  FY2008,  the 
Secret  Service  arrested  over  5,600  suspects  for  crimes  related  to  identity  theft.^* * 

United  States  Postal  Inspection  Service  (USPIS) 

The  USPIS  is  involved  in  inter-agency  task  forces  investigating  identity  theft  and  is  the  lead 
federal  investigative  agency  when  identity  thieves  have  used  the  postal  system  in  conducting  their 
fraudulent  activities.  It  coordinates  or  co-coordinates  19  financial  crime  task  forces  and  working 
groups  that  address  cases  involving  identity  theft.  The  most  recent  USPIS  data  indicate  that  in 


U.S.  Department  of  Justice,  Fact  Sheet:  The  Work  of  the  President's  Identity  Theft  Task  Force,  September  19,  2006, 
p.  3,  http://www.ftc.gOv/os/2006/09/060919IDtheftfactsheet.pdf. 

Federal  Bureau  of  Investigation,  Financial  Crimes  Report  to  the  Public,  Fiscal  Year  2006,  http://www.fbi.gov/ 
publications/financial/fcs_report2006/publicrpt06.pdf. 

See  the  IC3  website  at  http://www.ic3.gov/default.aspx.  Among  the  many  Internet  crimes  reported  to  the  IC3  are 
identity  theft  and  phishing.  Phishing  refers  to  gathering  identity  information  from  victims  under  false  pretences,  such  as 
pretending  to  be  a  representative  of  a  financial  institution  collecting  personal  information  to  update  financial  records. 

*  The  IC3  received  a  total  of  275,284  Internet  crime  complaints.  However,  it  did  not  make  publically  available  the 
exact  number  of  these  complaints  which  were  identity  theft  complaints,  but  rather  indicated  that  identity  theft  made  up 
about  2.5%  of  total  Internet  crime  complaints.  Internet  Crime  Complaint  Center,  2008  Internet  Crime  Report,  p.  4, 
http://www.ic3.gOv/media/annualreport/2008_IC3Report.pdf. 

®  18U.S.C.  §  3056. 

Information  provided  to  CRS  by  the  USSS  Office  of  Congressional  Affairs.  The  USSS  also  led  the  investigation  of 
the  largest  identity  theft  case  prosecuted  yet  in  the  United  States;  the  case  involved  1 1  criminals  from  at  least  five 
different  countries  and  the  sale  of  more  than  40  million  credit  and  debit  card  numbers  from  U.S.  retailers  including  TJX 
Companies,  BJ’s  Wholesale  Club,  OfficeMax,  Boston  Market,  Barnes  &  Noble,  Sports  Authority,  Forever  21,  and 
DSW.  The  defendants  have  been  charged  with  conspiracy  and  related  crimes  including  aggravated  identity  theft, 
unlawful  access  to  computer  systems,  wire  fraud,  access  device  fraud,  and  money  laundering.  At  least  five  of  the 
defendants  have  been  indicted  in  Boston.  For  more  information,  see  the  United  States  Secret  Service,  “Additional 
Indictments  Announced  in  Ongoing  Secret  Service  Network  Intrusion  Investigation,’’  press  release,  August  5,  2008, 
http://www.secretservice.gov/press/GPA15-08_CyberIndictments_Final.pdf 
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FY2008,  the  USPIS  participated  in  25  identity  theft  task  forces,  and  postal  inspectors  arrested 
2,047  identity  theft  suspects — from  both  USPIS  investigations  and  task  force  investigations  in 
which  the  USPIS  was  involved.  In  addition  to  investigating  identity  theft,  the  USPIS  has  been 
involved  in  delivering  educational  presentations  to  consumer  groups  to  assist  in  preventing 
identity  theft,  and  inspectors  are  involved  in  sponsoring  outreach  programs  for  victims  of  identity 
theft;  in  FY2006,  inspectors  provided  1,799  cases  of  identity  theft  victim  assistance,  in  FY2007, 
they  provided  2,308  cases,  and  most  recently  in  FY2008,  they  provided  3,643  cases.  Examples 
of  victim  services  include  notifying  victims  of  potential  identity  theft  if  the  USPIS  discovers 
compromised  identities  as  well  as  assisting  in  victim  restitution  by  providing  victims  money  from 
the  funds  forfeited  as  a  result  of  USPIS  identity  theft  investigations.^^ 

Social  Security  Administration  Office  of  the  Inspector  General  (SSA  OIG) 

Because  the  theft  and  misuse  of  social  security  numbers  (SSNs)  is  one  of  the  primary  modes  of 
identity  theft,  the  SSA  OIG  is  involved  in  investigating  identity  theft.  The  SSA  has  programs  to 
assist  victims  of  identity  theft  who  have  had  their  SSNs  stolen  or  misused  by  placing  fraud  alerts 
on  their  credit  files,  replacing  social  security  cards,  issuing  new  social  security  numbers  in 
specific  instances,  and  helping  to  correct  victims’  earnings  records. The  SSA  OIG  protects  the 
integrity  of  the  SSN  by  investigating  and  detecting  fraud,  waste,  and  abuse.  It  also  determines 
how  the  use  or  misuse  of  SSNs  influences  programs  administered  by  the  SSA.  The  SSA  OIG  is 
involved  in  providing  a  limited  range  of  SSN  verification  for  law  enforcement  agencies.  Further, 
the  SSA  OIG  maintains  a  hotline  for  consumers  to  report  identity  theft,  and  then  this  data  is 
transferred  to  the  FTC  to  be  included  in  their  consumer  complaint  database.^^ 

Immigration  and  Customs  Enforcement 

The  U.S.  Immigration  and  Customs  Enforcement  (ICE)  investigates  cases  involving  identity  theft, 
particularly  immigration  cases  that  involve  document  and  benefit  fraud.  In  EY2008,  ICE 
conducted  3,636  investigations  of  document  and  benefit  fraud.  In  addition,  it  made  1,652  criminal 
arrests  and  seized  about  $10.3  million  related  to  document  and  benefit  fraud.^®  In  2006,  ICE 
created  Document  and  Benefit  Eraud  Task  Eorces  (DBETEs).  These  DBETEs,  located  in  17  cities 
throughout  the  United  States,  are  aimed  at  dismantling  and  seizing  the  financial  assets  of  criminal 
organizations  that  threaten  the  nation’s  security  by  engaging  in  document  and  benefits  fraud.  In 
EY2008,  these  task  forces  opened  563  investigations,  made  1,216  arrests,  and  seized  about  $2.4 
million.^’ 


The  FY2006  and  FY2007  data  comes  from  the  United  States  Postal  Inspection  Service  Annual  Reports  of 
Investigations  available  at  https://postalinspectors.uspis.gov/pressroom/pubs.aspx.  Data  for  FY2008  was  provided  to 
CRS  by  the  USPIS,  Office  of  Congressional  Affairs. 

United  States  Postal  Inspection  Service,  FY2007  Annual  Report  of  Investigations  of  the  United  States  Postal 
Inspection  Sendee,  January  2008,  pp.  16-17,  https://postalinspectors.uspis.gov/radDocs/pubs/AR2007.pdf. 

Social  Security  Administration,  Identity  Theft  Fact  Sheet,  October  2006,  http://www.socialsecurity.gov/pubs/ 
idtheft.htm. 

Information  provided  to  CRS  by  the  Social  Security  Administration,  Office  of  the  Inspector  General,  Office  of 
Congressional  Affairs,  March  25,  2009. 

U.S.  Immigration  and  Customs  Enforcement,  ICE  Fiscal  Year  2008  Annual  Report:  Protecting  National  Security  and 
Upholding  Public  Safety,  2008,  p.  iv,  http://www.ice.gov/doclib/pi/reports/ice_annual_report/pdf/ice08ar_final.pdf. 

”  Ibid. 


Congressional  Research  Service 


14 


Identity  Theft:  Trends  and  Issues 


Department  of  Justice 

The  U.S.  Attorneys  Offices  (USAOs)  prosecute  federal  identity  theft  cases  referred  hy  the  various 
investigative  agencies.  CRS  was  unahle  to  determine  the  proportion  of  identity  theft  cases 
referred  to  the  USAOs  hy  each  investigative  agency  for  several  reasons.  For  one,  some  of  the 
investigations  reported  hy  each  agency  are  investigations  conducted  hy  a  task  force,  to  which 
several  agencies  may  have  contributed.  Consequently,  these  investigations  may  he  reported  hy 
each  participating  agency.  If  the  total  number  of  reported  investigations  from  each  agency  were 
combined,  it  is  likely  that  the  overall  number  of  identity  theft  investigations  would  be  inflated 
because  of  double  (or  more)  reporting  of  an  investigation  from  multiple  agencies.  A  second  factor 
is  that  the  USAOs  do  not  track  the  proportion  of  case  referrals  by  statute;  rather,  they  track  case 
referrals  by  program  area.  For  instance,  the  proportion  of  identity  theft  (18  U.S.C.  §  1028)  and 
aggravated  identity  theft  (18  U.S.C.  §  1028A)  case  referrals  from  each  agency  are  not  tracked 
according  to  the  charging  statutes.  Identity  theft  cases  fall  under  several  programmatic 
categories — including  white  collar  crime  and  immigration — which  also  contain  several  other 
crimes.  Thus,  trends  in  federal  identity  theft  and  aggravated  identity  theft  cases  may  be  better 
tracked  by  the  number  of  total  cases  referred  to  and  prosecuted  by  the  USAOs,  irrespective  of  the 
referring  agency. 

Mirroring  the  upward  trend  in  identity  theft  complaints  reported  to  the  FTC,  there  has  been  a 
generally  increasing  trend  in  the  number  of  identity  theft  and  aggravated  identity  theft  cases 
prosecuted  by  DOJ.  Figure  3  illustrates  the  number  of  identity  theft  (18  U.S.C.  §  1028)  and 
aggravated  identity  theft  (18  U.S.C.  §  1028A)  cases  filed  (specifically,  the  number  of  defendant 
cases  filed^^)  with  the  USAOs  as  well  as  defendants  convicted  between  FY1998  and  FY2008. 
There  are  several  possible  factors  that  could  be  driving  the  general  increase  in  identity  theft  cases. 
One  possibility  is  that  there  has  been  an  increase  in  the  overall  number  of  identity  theft  incidents, 
and  law  enforcement  has  been  responding  proportionally  by  arresting  more  identity  thieves  and 
filing  more  cases  with  the  U.S.  Attorneys’  Offices.  A  second  possibility  is  that  there  is  little  or  no 
increase  in  the  number  of  identity  theft  incidents,  but  federal  law  enforcement  has  placed  a 
greater  priority  on  combating  identity  theft  and  in  turn  has  increased  investigations  and 
prosecutions.  However,  the  increase  in  the  number  of  identity  theft  complaints  to  the  FTC,  as 
reflected  in  Figure  2,  suggests  that  this  second  explanation  may  not  be  true.  Still  another 
possibility  is  that  there  may  be  an  increase  in  both  the  number  of  identity  theft  incidents  as  well 
as  in  investigations  and  prosecutions.  If  this  were  the  case,  it  would  be  difficult  to  determine 
whether  the  prevalence  of  identity  theft  is  driving  the  increase  in  investigations  and  prosecutions 
or  whether  increased  enforcement  is  revealing  a  greater  number  of  identity  theft  incidents. 


There  may  be  multiple  defendants  in  a  case.  Of  note,  Figure  3  depicts  the  number  of  defendants  (rather  than  the 
number  of  cases)  prosecuted  and  convicted  on  charges  of  identity  theft  and  aggravated  identity  theft  for  FY1998 
through  FY2008. 
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Figure  3.  Federal  Identity  Theft  and  Aggravated  Identity  Theft  Cases 

Defendant  Cases  Filed  and  Defendants  Convicted  FYI 998-FY2008 


w 

o 

U) 

n 

O 

o 


c 

o 

T3 


2,400 

2,100 

1,800 

1,500 

1,200 

900 

600 

300 

0 


I  11 


■  h 
I  I 


1  ni  1 1 

4IIIIIIR 
iiiiiiiiirij 
IIIIIIIISI 


5 


c^"' 


600 

500 

400 

300 

200 

100 

0 


u> 

o 

If) 

a 

O 

tr 

<u 


c 

o 

2 

■D 

o 

m 

> 

(Q 

O) 

O) 

< 


18  U.S.C.  §  1028  Defendant  Cases  Filed 
>18  U.S.C.  §  1028A  Defendant  Cases  Filed 


18  U.S.C.  §  1028  Defendants  Convicted 
•18  U.S.C.  §  1028A  Defendants  Convicted 


Source:  CRS  analysis  of  data  provided  by  the  USAO,  Congressional  Affairs. 

Notes:  Identity  theft  defendant  cases  filed  and  convictions  are  plotted  on  the  left  Y-axis  while  the  aggravated 
identity  theft  cases  filed  and  convictions  are  plotted  on  the  right  Y-axis.  Identity  theft  is  prosecuted  under  1 8 
U.S.C.  §  1 028  and  aggravated  identity  theft  is  prosecuted  under  1 8  U.S.C.  §  1 028A.  Identity  theft  became  a 
federal  crime  in  1 998,  and  aggravated  identity  theft  became  a  federal  crime  in  2004.  Data  include  all  cases  filed 
with  the  USAOs  containing  an  identity  theft  or  aggravated  identity  theft  violation,  and  are  not  limited  to  those 
cases  where  identity  theft  or  aggravated  identity  theft  is  the  lead  charge.  This  includes  data  filed  with  the  USAOs 
from  all  federal  agencies. 

As  also  illustrated  in  Figure  3,  identity  theft  cases  filed  in  FY2008  decreased  relative  to  cases 
filed  in  FY2007.  Identity  theft  convictions,  however,  increased.  This  is  accompanied  hy  a 
continued  increase  in  aggravated  identity  theft  case  filings  and  convictions.  Several  factors  could 
possibly  contrihute  to  the  decrease  in  FY2008  case  filings.  One  is  that  this  data  represent  natural 
fluctuation  in  identity  theft  cases.  Although  the  general  trend  is  that  between  FY1998  and 
FY2008  identity  theft  case  filings  and  convictions  increased,  there  is  fluctuation  in  the  data.  For 
example,  case  filings  and  prosecutions  in  FY2004  both  decreased  relative  to  levels  in  FY2003, 
but  thereafter  the  number  of  case  filings  and  convictions  continued  to  increase.  A  second 
explanation  for  the  decrease  in  the  number  of  identity  theft  cases  filed  in  FY2008  relative  to 
FY2007  is  that  some  cases  in  which  defendants  would  have  been  charged  with  identity  theft  in 
earlier  years  may  more  recently  have  been  charged  with  aggravated  identity  theft.  Therefore,  a 
decrease  in  identity  theft  case  filings  may  be  complemented  with  an  increase  in  identity  theft  case 
filings.  As  mentioned  before,  aggravated  identity  theft  became  a  federal  crime  in  2004,  and  is 
reflected  in  Figure  3  by  the  increase  in  aggravated  identity  theft  case  filings  and  convictions  in 
later  years.  Analysts  would  need  to  evaluate  several  more  years  of  data  to  make  any  reliable  or 
valid  predictions  regarding  factors  contributing  to  fluctuations  in  identity  theft  and  aggravated 
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identity  theft  prosecutions.  Taken  together,  however,  identity  theft  and  aggravated  identity  theft 
case  filings  and  convictions  have  generally  increased  over  the  last  decade. 


Domestic  Impact 

As  mentioned,  in  2009,  about  11.1  Americans  were  victims  of  identity  theft — a  12%  increase  over 
2008.^^  And  these  are  the  known  cases.  The  Federal  Trade  Commission  (FTC)  recognizes  two 
primary  forms  of  identity  theft:  existing  account  fraud  and  new  account  fraud.  Existing  account 
fraud  refers  to  the  misuse  of  a  consumer’s  existing  credit  card,  dehit  card,  or  other  account,  while 
new  account  fraud  refers  to  the  use  of  stolen  consumer  identifying  information  to  open  new 
accounts  in  the  consumer’s  name.®°  Figure  4  illustrates  the  most  common  misuses  of  victims’ 
identities.  Since  the  FTC  has  begun  tracking  identity  theft  complaints,  it  has  consistently  reported 
that  the  most  common  misuse  of  a  victim’s  identity  is  credit  card  fraud.®'  In  2008,  government 
documents/benefits  fraud  became  the  second  most  prevalent  misuse  of  a  victim’s  identity,  and 
within  this  category,  the  FTC  reported  a  particularly  large  increase  in  identity  theft  related  to  tax 
return  fraud.  In  fact,  tax  return-related  fraud  saw  a  six  percentage  point  increase  from  the  2006 
level,  and  it  was  involved  in  about  12.2%  of  the  identity  theft  complaints  received  by  the  FTC  in 
2008.®^  In  2009,  the  category  with  the  largest  increase  in  fraud  complaints  was  utilities  fraud,  and 
in  particular,  the  fraudulent  opening  of  new  utilities  accounts.  It  was  involved  in  about  8.2%  of 
the  identity  theft  complaints  the  FTC  received  in  2009.®^ 


®  Javelin  Strategy  &  Research,  “Javelin  Study  Finds  Identity  Fraud  Reached  New  High  in  2009,  hut  Consumers  are 
Fighting  Back,”  press  release,  February  10,  2010,  https://www.javelinstrategy.com/news/831/92/Javelin-Study-Finds- 
Identity-Fraud-Reached-New-High-in-2009-but-Consumers-are-Fighting-Back/d,pressRoomDetail. 

®  Federal  Trade  Commission,  Prepared  Statement  of  the  Federal  Trade  Commission  Before  the  Subcommittee  on 
Crime,  Terrorism,  and  Homeland  Security,  House  Committee  on  the  Judiciary,  on  Protecting  Consumer  Privacy  and 
Combating  Identity  Theft,  Washington,  DC,  December  18,  2007,  p.  2,  http://www.ftc.gov/os/testimony/ 
P065404idtheft.pdf. 

Although  there  are  estimates  regarding  the  cost  of  identity  theft  to  consumers,  CRS  was  unable  to  locate  any 
comprehensive,  reliable  data  on  the  costs  of  identity  theft  (separate  from  the  total  cost  of  financial  fraud)  to  the  credit 
card  indushy. 

Federal  Trade  Commission,  Consumer  Sentinel  Network  Data  Book  for  January  -  December  2008,  February  2009,  p. 
3,  http://www.ftc.gOv/sentinel/reports/sentinel-annual-reports/sentinel-cy2008.pdf. 

®  Federal  Trade  Commission,  Consumer  Sentinel  Network  Data  Book  for  January  -  December  2009,  February  2010,  p. 
1 1 ,  http://www.ftc.gOv/sentinel/reports/sentinel-annual-reports/sentinel-cy2009.pdf 
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Figure  4.  FTC  Identity  Theft  Complaints,  2009 

How  Victims’  Information  is  Misused 


■  Credit  Card  Fraud 

□  Government  Documents 
or  Benefits  Fraud 

□  Employment-Related 
Fraud 

□  Phone  or  Utilities  Fraud 

□  Bank  Fraud 

□  Loan  Fraud 

■  Other 

□  Attempted  Identity  Theft 


Source:  FTC  Identity  Theft  Clearinghouse  data,  Consumer  Sentinel  Network  Data  Book  for  January  -  December 
2009,  February  20 1 0,  p.  I  I,  http;//www.ftc.gov/sentinel/reports/sentinel-annual-reports/sentinel-cy2009.pdf. 

Notes:  Of  the  278,078  identity  theft  complaints  received  by  the  FTC  in  2009,  the  most  prevalent  form  of 
identity  theft  was  credit  card  fraud.  About  1 2%  of  the  identity  theft  complaints  received  by  the  FTC  involved 
more  than  one  form  of  identity  theft.  For  this  reason,  the  sum  of  the  various  types  of  identity  theft  included  in 
the  figure  amounts  to  greater  than  1 00%.  Also,  within  in  the  category  “other,”  are  complaints  of  victims’ 
identities  being  misused  across  subcategories  including  evading  the  law,  medical.  Internet/e-mail,  apartment/house 
rented,  insurance,  securities/other  investments,  property  rental  fraud,  magazines,  child  support,  bankruptcy, 
miscellaneous,  and  uncertain.  The  uncertain  subcategory  alone  accounts  for  about  9%  of  all  identity  theft 
complaints. 

Identity  theft  and  the  various  crimes  it  facilitates  affect  the  economy  and  national  security  of  the 
United  States.  Selected  crimes  facilitated  hy  identity  theft  are  outlined  in  the  section  helow. 


Credit  Card  Fraud®^ 

After  a  victim’s  identity  is  stolen,  the  primary  criminal  use  of  this  information  is  credit  card  fraud. 
Beyond  amassing  charges  on  a  victim’s  credit  card,  identity  thieves  may  sometimes  change  the 
hilling  address  so  that  the  victim  will  not  receive  the  hills  and  see  the  fraudulent  charges, 
allowing  the  thief  more  time  to  abuse  the  victim’s  identity  and  credit.  If  a  victim  does  not  receive 
the  hill,  and  therefore  does  not  pay  it,  this  could  aversely  affect  the  victim’s  credit.  In  addition  to 
abusing  existing  credit  card  accounts,  a  thief  could  also  open  new  accounts  in  the  victim’s  name, 
incurring  more  charges  on  the  victim’s  line  of  credit.  These  actions  could  in  turn  affect  not  only 
the  victim’s  immediate  pocketbook,  but  future  credit  as  well.  The  Identity  Theft  Resource  Center 
(ITRC)  predicts  that  the  current  economic  downturn  may  lead  to  an  increase  in  credit  card  scams 
and  fraud.  The  ITRC  suggests  that  tight  credit  in  a  strained  economy  could  lead  thieves  to 
advertise  the  availability  of  credit  cards  to  those  with  poor  credit  or  without  a  SSN.®^ 


^  Credit  card  fraud  is  codified  at  18  U.S.C.  §  1029. 

Identity  Theft  Resource  Center,  Identity  Theft  Predictions  2009,  December  18,  2008,  http://www.idtheftcenter.org/ 
artman2/publish/m_press/Identity_Theft_Predictions_2009_printer.shtml. 
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Document  Fraud®® 

Identity  thieves  can  use  personally  identifiable  information  to  create  fake  or  counterfeit 
documents  such  as  birth  certificates,  licenses,  and  social  security  cards.  One  way  that  thieves  can 
use  the  stolen  information  is  to  obtain  government  benefits  in  a  victim’s  name.  This  directly 
affects  the  victim  if  the  victim  attempts  to  legitimately  apply  for  benefits  and  then  is  denied 
because  someone  else  may  already  be  (fraudulently)  receiving  those  benefits  under  the  victim’s 
name.  The  creation  of  fraudulent  documents  may,  among  other  things,  provide  fake  identities  for 
unauthorized  immigrants®’  living  in  the  United  States  or  fake  passports  for  people  trying  to 
illegally  enter  the  United  States.  In  addition,  DOJ  has  indicated  that  identity  theft  is  implicated  in 
international  terrorism.  In  May  2002,  former  Attorney  General  John  Ashcroft  stated  that 

[IJdentity  theft  is  a  major  facilitator  of  international  terrorism.  Terrorists  have  used  stolen 
identities  in  connection  with  planned  terrorist  attacks.  An  Algerian  national  facing  U.S. 
charges  of  identity  theft,  for  example,  allegedly  stole  the  identities  of  21  members  of  a  health 
club  in  Cambridge,  Massachusetts,  and  transferred  the  identities  to  one  of  the  individuals 
convicted  in  the  failed  1999  plot  to  bomb  the  Los  Angeles  International  Airport.®® 

Identity  theft  and  resulting  document  fraud  can  thus  have  not  only  an  economic  impact  on  the 
United  States,  but  a  national  security  impact  as  well. 

Employment  Fraud 

Identity  theft  can  facilitate  employment  fraud  if  the  thief  uses  the  victim’s  personally  identifiable 
information  to  obtain  a  job.  With  the  current  downturn  in  the  economy  and  with  unemployment 
on  the  rise,®^  policymakers  may  wish  to  monitor  trends  in  employment  fraud.  In  fact,  the  Identity 
Theft  Resource  Center  predicts  that  for  2009,  there  may  be  an  increase  in  the  fraudulent  use  of 
SSNs — by  people  who  either  do  not  have  a  SSN  or  for  some  reason  cannot  use  their  own — to 
obtain  work.™  This  could  aversely  affect  the  victim’s  credit,  ability  to  file  his  or  her  taxes,  and 
ability  to  obtain  future  employment,  among  other  things.  Not  only  can  identity  theft  lead  to 
employment  fraud,  but  employment  fraud  may  be  a  means  to  steal  someone’s  identity.  Identity 
thieves  may  use  scams  that  falsely  advertise  employment  as  a  means  to  phish  for  personally 
identifiable  information.  The  thief  can  then  use  this  information  to  commit  other  crimes  while  the 
job-seeking  individual  remains  unemployed  and  victimized. 


®®  Document  fraud  is  codified  at  18  U.S.C.  §  1028.  The  statutory  definition  of  identity  theft  is  found  within  this  section 
of  the  Code  at  18  U.S.C.  §  1028(a)(7). 

A  complete  discussion  of  immigration-related  document  fraud  is  outside  the  scope  of  this  report,  but  more 
information  can  be  found  in  CRS  Report  RL34007,  Immigration  Fraud:  Policies,  Investigations,  and  Issues,  by  Ruth 
Ellen  Wasem. 

Department  of  Justice,  Transcript  of  Attorney  General  Remarks  at  Identity  Theft  Press  Conference  Held  With  FTC 
Trade  Commission  Chairman  Timothy  J.  Muris  and  Senator  Diane  Feinstein,  DOJ  Conference  Center,  May  2,  2002, 
http://www.usdoj.gOv/archive/ag/speeches/2002/050202agidtheftranscript.htm.  Also  cited  in  U.S.  General  Accounting 
Office,  Identity  Fraud:  Prevalence  and  Links  to  Alien  Illegal  Activities,  GAO-02-830T,  June  25,  2002,  p.  9, 
http://www.gao.gOv/new.items/d02830t.pdf 

According  to  the  Bureau  of  Labor  Statistics  (BLS),  the  unemployment  rate  has  been  increasing  since  the  early  part  of 
2007,  and  it  reached  8.5%  in  March,  2009,  http://data.bls.gov/PDQ/servlet/SurveyOutputServlet?data_tool= 
latest_numbers&series_id=LNS  14000000. 

™  Identity  Theft  Resource  Center,  Identity  Theft  Predictions  2009,  December  18,  2008,  http://www.idtheftcenter.org/ 
artman2/publish/m_press/Identity_Theft_Predictions_2009_printer.shtml. 
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Data  Breaches  and  Identity  Theft 

While  the  number  of  identity  theft  complaints  has  been  increasing,  the  number  of  data  breaches — 
as  well  as  the  number  of  records  affected  by  these  breaches — has  fluctuated  over  the  past  several 
years.  The  Identity  Theft  Resource  Center  (ITRC)  tracks  data  breaches  across  the  nation,  and  the 
resulting  statistics  indicate  that  the  total  number  of  reported  data  breaches  decreased  in  2009  after 
steadily  increasing  between  2005  and  2008.’’  Figure  5  illustrates  this  trend.  The  IRTC  indicates 
that  the  number  of  data  breaches  declined  from  656  in  2008  to  498  in  2009.  Breaches  are 
recorded  across  five  industries:  banking/credit/financial,  business,  education, 
government/military,  and  medical/healthcare.  In  2009,  the  business  industry  experienced  the 
greatest  number  of  data  breaches  (41.8%),  followed  by  government/military  (18.1%)  and 
education  (15.7%). 


Figure  S.Total  Number  of  Reported  Data  Breaches  and  Records  Affected 
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Source:  CRS  analysis  of  data  provided  by  the  Identity  Theft  Resource  Center,  available  at 
http;//www.idth  eftcenter.org/artman2/publish/lib_survey/ITRC_2009_Data_Breaches.shtml. 

Notes:  Breaches  are  recorded  across  five  primary  industries:  banking/credit/financial,  business,  educational, 
government/military,  and  medical/healthcare. 

While  there  may  have  been  a  decrease  in  the  number  of  actual  data  breaches,  reflected  by  a 
decrease  in  reported  data  breaches  in  2009,  several  factors  may  influence  the  number  of  reported 


Identity  Theft  Resource  Center,  2009  Breach  Stats,  March  24,  2010,  http://www.idtheftcenter.org/artman2/publish/ 
lib_survey/rTRC_2009_Data_Breaches.shtml.  The  IRTC  indicates  that  the  criteria  for  qualifying  as  a  data  breach  is 
“[a]ny  name  or  number  that  may  be  used,  alone  or  in  conjunction  with  other  information,  to  identify  a  specific 
individual,  including:  name,  social  security  number,  date  of  birth.  Banking  or  financial  account  number,  credit  card  or 
debit  card  number  with  or  without  a  PIN,  official  state  or  government  issued  driver’s  license  or  identification  number, 
passport  identification  number,  alien  registration  number,  employer  or  taxpayer  identification  number,  or  insurance 
policy  or  subscriber  numbers;  unique  biometric  data;  [or]  electronic  identification  number,  address  or  routing  code  or 
telecommunication  identifying  information  or  device.” 
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breaches.  One  such  factor  may  be  the  increasing  number  of  states  that  have  enacted  laws 
requiring  data  breach  notification.^^  California  was  the  first  state  to  enact  such  legislation  in  2002. 
Currently,  44  states,  the  District  of  Columbia,  Puerto  Rico,  and  the  U.S.  Virgin  Islands  have 
enacted  data  breach  notification  laws.^^  Even  if  there  was  not  an  increase  in  the  actual  number  of 
data  breaches,  the  increasing  prevalence  of  state  laws  requiring  breach  notification  could  lead  to 
an  increase  in  reported  breaches  to  law  enforcement  or  to  the  individuals  affected  rather  than  to 
media  or  government  agencies.  This  could  lead  to  a  decline  in  the  reported  number  of  data 
breaches  captured  by  the  ITRC.  Therefore,  analysts  are  unable  to  say  with  certainty  whether  the 
decrease  in  the  number  of  reported  data  breaches  in  2009  is  a  reflection  of  a  decrease  in  actual 
breaches  or  a  decrease  in  reporting. 

Furthermore,  the  number  of  records  affected  by  each  data  breach  is  variable,  and  in  many  cases 
unknown.  In  2009,  for  example,  at  least  223,146,989  records  were  put  at  risk,  but  information  on 
the  exact  number  of  records  exposed  was  only  available  for  236  (about  47%)  of  the  498  reported 
data  breaches.’"^ 

From  2005  through  2008,  the  number  of  data  breaches  and  identity  theft  incidents  both  increased; 
however,  in  2009,  this  relationship  did  not  hold  true.  The  number  of  identity  theft  incidents 
reported  to  the  FTC  declined,  but  the  number  of  identity  theft  victims  identified  by  Javelin 
Strategy  &  Research  increased.  Simultaneously,  the  number  of  data  breaches  identified  by  the 
ITRC  through  reliable  media  and  government  sources  declined.  The  question  remaining  is 
whether  there  is  a  relationship  between  the  two.  Intuitively,  the  data  breaches  and  identity  theft 
may  seem  to  correlate,  but  some  analysts  have  found  that  the  link  may  not  be  very  strong.  There 
are  two  ways  to  analyze  the  relationship  between  data  breaches  and  identity  theft.  One  is  to 
examine  the  set  of  data  breach  victims  and  determine  the  proportion  of  those  victims  that  are  also 
victims  of  identity  theft.  Some  claim  that  data  breaches  are  a  direct  cause  of  identity  theft  and 
may  rely  on  this  position  to  advocate  the  need  for  increased  data  security  and  data  breach 
notification  laws  to  protect  consumers  and  help  with  quickly  mitigating  any  potential  damage 
from  such  data  breaches.  Meanwhile,  other  experts  claim  that  less  than  1%  of  data  breach  victims 
are  also  victims  of  identity  theft. Such  experts  may  use  this  data  to  argue  against  the  need  for 
increased  data  security  and  breach  notification  laws,  suggesting  that  such  laws  could  produce  a 
larger  cost  for  businesses  than  prevention  for  consumers. 

Another  means  to  evaluate  the  relationship  between  data  breaches  and  identity  theft  is  to  examine 
identity  theft  victims  and  analyze  the  proportion  of  those  victims  whose  identity  was  stolen  as  a 
result  of  a  data  breach.  Javelin  Strategy  and  Research  (2009)  found  that  about  11%  of  victims’ 
identities  that  were  stolen  had  been  under  the  control  of  a  company  and  were  stolen  from  the 
company  through  methods  such  as  data  breaches.  Most  victims  (65%)  did  not  know  how  their 
identities  had  been  stolen,  and  some  proportion  of  these  could  have  occurred  as  a  result  of  a  data 
breach.’®  Synovate  (2007)  conducted  a  similar  study  on  behalf  of  the  Federal  Trade  Commission 


For  more  information  on  data  breach  notification  laws  affecting  the  private  and  public  sectors,  see  CRS  Report 
RL34120,  Federal  Information  Security  and  Data  Breach  Notification  Laws,  hy  Gina  Stevens. 

National  Conference  of  State  Legislatures,  State  Security  Breach  Notification  Laws,  http://www.ncsl.org/programs/ 
lis/cip/priv/hreachlaws.htm. 

CRS  calculated  this  figure  from  the  data  provided  from  the  Identity  Theft  Resource  Center,  2009  Breach  Stats, 
March  24,  2010,  http://www.idtheftcenter.org/artman2/puhlish/lih_survey/ITRC_2009_Data_Breaches.shtml. 

”  Findings  from  Javelin  Strategy  &  Research  cited  in  Ben  Worthen,  “Cardholders  Buy  Peace  of  Mind,  If  Not 
Security,’’  The  Wall  Street  Journal,  March  10,  2009,  p.  Dl. 

Rachel  Kim,  2009  Identity  Fraud  Survey  Report:  Consumer  Version,  Javelin  Strategy  &  Research,  February  2009, 
(continued...) 
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and  found  that  about  12%  of  victims’  stolen  identities  had  been  under  the  control  of  a  company 
and  were  thus  accessed  via  a  data  breach/^  The  Center  for  Identity  Management  and  Information 
Protection  at  Utica  College  (2007)  evaluated  identity  theft  cases  handled  by  the  U.S.  Secret 
Service  between  2002  and  2006  and  found  that  in  nearly  27%  of  the  cases,  a  breach  of  company- 
controlled  data  was  the  source  of  the  identity  theft/^ 

It  appears  that  the  stronger  relationship  between  identity  theft  and  data  breaches  is  found  when 
analyzing  identity  theft  victims  whose  data  was  obtained  through  a  data  breach  rather  than  in 
analyzing  data  breaches  that  result  in  identity  theft.  In  efforts  to  curb  identity  theft,  policymakers 
are  left  with  the  issue  of  how  to  target  data  breaches.  The  question  is  whether  the  federal 
government’s  role  in  curbing  identity  theft  should  be  more  preventative,  more  responsive,  or  both. 
One  policy  option  may  be  for  Congress  to  increase  data  security  for  the  purpose  of  preventing 
those  data  breaches  that  could  potentially  result  in  identity  theft.  Congress  has  already  enacted 
data  breach  laws  targeting  certain  components  of  the  public  and  private  sectors,  such  as  the 
Veterans  Administration  and  healthcare  providers.’^  Another  option  could  be  for  Congress  to 
dedicate  resources  to  assisting  victims  of  identity  theft  and  providing  sufficient  deterrence  and 
punishment  measures  (in  the  form  of  penalties  or  sanctions).  These  options  are  analyzed  further 
below. 


Potential  Issues  for  Congress 

As  the  111*  Congress  debates  means  to  prevent  identity  theft,  mitigate  the  potential  effects  of 
identity  theft,  and  investigate  and  prosecute  identity  thieves,  there  are  several  issues  policymakers 
may  wish  to  consider.  One  issue  surrounds  the  extent  to  which  reducing  the  availability  of  SSNs 
may  reduce  the  prevalence  of  identity  theft.  A  second  issue  involves  the  degree  to  which 
increasing  breach  notification  requirements  may  reduce  both  identity  theft  and  the  monetary 
burden  incurred  by  victims.  Yet  another  issue  concerns  the  adequacy  of  (1)  the  current  legal 
definitions  of  identity  theft  and  aggravated  identity  theft  and  (2)  the  list  of  predicate  offenses  for 
aggravated  identity  theft. 


(...continued) 

http://www.javelinstrategy.com. 

Synovate,  Federal  Trade  Commission:  2006  Identity  Theft  Survey  Report,  November  2007,  http://www.ftc.gov/os/ 
2007/1 1/S  ynovateFinalReportIDTheft2006.pdf. 

Gary  R.  Gordon,  Donald  J.  Rebovich,  and  Kyung-Seok  Choo,  et  ah,  Identity  Fraud  Trends  and  Patterns:  Building  a 
Data-Based  Foundation  for  Proactive  Enforcement,  Center  for  Identity  Management  and  Information  Protection,  Utica 
College,  OJP,  BJA  Grant  No.  2006-DD-BX-K086,  October  2007,  http://www.utica.edu/academic/institutes/ecii/ 
publications/media/cimip_id_theft_study_oct_22_noon.pdf. 

™  For  example,  the  Veterans  Affairs  Information  Security  Act,  Title  DC  of  P.L.  109-461  required  the  Veterans 
Administration  (VA)  to  implement  an  information  security  program  to  protect  its  sensitive  personal  information.  For 
more  information,  see  CRS  Report  RL34120,  Federal  Information  Security  and  Data  Breach  Notification  Laws,  by 
Gina  Stevens.  Also,  the  Health  Information  Technology  for  Economic  and  Clinical  Health  (HITECH)  Act,  in  P.L.  1 1 1- 
5,  established — among  other  things — a  notification  requirement  for  a  breach  of  non-encrypted  health  information.  For 
further  information  on  the  HITECH  Act,  see  CRS  Report  R40161,  The  Health  Information  Technology  for  Economic 
and  Clinical  Health  (HITECH)  Act,  by  C.  Stephen  Redhead. 
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Identity  Theft  Prevention 

Policymakers  may  question  what  the  extent  of  the  federal  government’s  role  should  he  in 
preventing  identity  theft.  One  element  of  this  discussion  centers  around  the  fact  that  identity  theft 
is  often  committed  to  facilitate  other  crimes  and  frauds  (e.g.,  credit  card  fraud,  document  fraud, 
and  employment  fraud).  Consequently,  preventing  identity  theft  could  proactively  prevent  other 
crimes.  When  policymakers  consider  the  federal  government’s  role  in  preventing  identity  theft, 
they  necessarily  consider  the  government’s  role  in  preventing  interrelated  crimes. 

Congress  may  also  consider  the  various  means  available  to  prevent  identity  theft  and  evaluate  the 
federal  government’s  role — if  any — in  implementing  them.  Possible  ways  to  prevent  identity  theft 
include  securing  data  in  the  private  sector,  securing  data  in  the  public  sector,  and  improving 
consumer  authentication  processes. 

Securing  Social  Security  Numbers 

The  prevalence  of  personally  identifiable  information — and  in  particular,  of  social  security 
numbers  (SSN) — has  been  an  issue  concerning  policymakers,  analysts,  and  data  security 
experts. There  are  few  restrictions  on  the  use  of  SSNs  in  the  private  sector,  and  therefore  the  use 
of  SSNs  is  widespread. Some  industries,  such  as  the  financial  services  industry,  have  stricter 
requirements  for  safeguarding  personally  identifying  information.  There  are  greater  restrictions 
on  the  use  of  SSNs  in  the  public  sector,  as  Congress  has  already  taken  direct  steps  in  reducing  the 
prevalence  of  SSNs  in  this  arena.  For  example,  in  the  Intelligence  Reform  and  Terrorism 
Prevention  Act  of  2004  (PL.  108-458),  Congress  prohibited  states  from  displaying  or 
electronically  including  SSNs  on  driver’s  licenses,  motor  vehicle  registrations,  or  personal 
identification  cards.  One  document  that  continues  to  display  SSNs,  however,  is  the  Medicare 
identification  card.  The  111*  Congress  may  consider  whether  the  continued  display  of  SSNs  on 
Medicare  cards  places  individuals  at  undue  risk  for  identity  theft  as  well  as  for  becoming  a  victim 
of  other  crimes  facilitated  by  identity  theft  and  whether  it  should  enact  legislation  to  prohibit  the 
display  of  SSNs  on  Medicare  cards.  Proponents  of  legislation  to  remove  SSNs  from  Medicare 
cards  cite  reports  that  as  of  2007,  42  million  Medicare  cards  displayed  social  security  numbers, 
potentially  placing  these  individuals  at  risk  for  identity  theft.  Opponents  of  such  legislation  may 
cite  that  transitioning  to  a  different  Medicare  identifier  has  been  estimated  to  cost  more  than  $300 
million. 

Another  policy  option  to  safeguard  personally  identifiable  information  that  the  111*  Congress 
may  consider  is  increasing  restrictions  on  the  disclosure  of  certain  forms  of  personally 
identifiable  information,  such  as  SSNs,  in  connection  with  federally  funded  grant  programs.  One 


The  President’s  Identity  Theft  Task  Force,  Combating  Identity  Theft:  A  Strategic  Plan,  Apr.  23,  2007,  at 
http://www.identitytheft.gov/reports/StrategicPlan.pdf. 

For  a  complete  discussion  of  the  collection,  disclosure,  and  confidentiality  of  social  security  numbers,  see  CRS 
Report  RL30318,  The  Social  Security  Number:  Legal  Developments  Affecting  Its  Collection,  Disclosure,  and 
Confidentiality,  by  Kathleen  S.  Swendiman. 

U.S.  Government  Accountability  Office,  Social  Security  Numbers:  Use  is  Widespread  and  Protection  Could  be 
Improved,  GAO-07-1023T,  June  21,  2007,  http://www.gao.gov/new.items/d071023t.pdf 

Social  Security  Administration,  Office  of  the  Inspector  General,  Removing  Social  Security  Numbers  From  Medicare 
Cards,  A-08-08- 18026,  May  2008,  p.  1,  http://www.ssa.gov/oig/ADOBEPDF/A-08-08-18026.pdf. 

Ibid.,  p.  3. 
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example  of  Congress  taking  such  action  is  in  the  Violence  Against  Women  and  Department  of 
Justice  Reauthorization  Act  of  2005  (RL.  109-162).  Provisions  in  this  Act  prohibit  grantees  that 
receive  funds  under  the  Violence  Against  Women  Act  of  1994  from  disclosing  certain  personally 
identifiahle  information — including  SSNs — collected  in  connection  with  services  through  the 
grant  program. Congress  may  consider  whether  existing  SSN  restrictions  for  federal  grant 
recipients  are  sufficient  or  whether  the  federal  government  should  play  a  larger  role  in  limiting 
the  use  of  SSNs — and  more  specifically,  whether  it  should  set  limitations  as  part  of  eligibility 
requirements  for  federal  assistance. 

The  Government  Accountability  Office  (GAO)  has  identified  vulnerabilities  in  federal  laws 
protecting  personally  identifiable  information — and  specifically,  SSNs — across  industries.  For 
one,  some  industries,  such  as  the  financial  services  industry,  have  more  restrictions  on 
safeguarding  this  information,  while  information  resellers  are  not  covered  by  the  same 
restrictions.^^  In  order  to  reduce  discrepancies  across  industries,  one  policy  option  may  be  to 
provide  certain  federal  agencies  with  authority  to  curb  the  prevalence  of  SSN  use  in  the  private 
sector;  for  example,  the  GAO  has  recommended  that  Congress  provide  the  SSAwith  the  authority 
to  enact  standards  for  uniformly  truncating  SSNs  so  that  the  entire  nine-digit  numbers  are  not  as 
readily  available.*’  A  similar  option  may  be  to  provide  the  Attorney  General,  the  FTC,  or  the  SSA 
with  the  authority  to  set  rules  and  standards  for  the  sale  and  purchase  of  SSNs.** 


Effects  of  Data  Breaches 

One  issue  that  the  111*  Congress  may  consider  involves  the  relationship  between  data  breaches 
and  identity  theft.  Although  there  is  not  a  large  body  of  research  examining  this  relationship,  data 
from  current  research  suggest  that  between  12%*®  and  27%®°  of  identity  theft  incidents  may  result 
from  data  breaches.  However,  this  proportion  is  truly  unknown  because  most  victims  of  identity 
theft  do  not  know  precisely  how  their  personally  identifiable  information  was  acquired.  In  order 
to  prevent  any  proportion  of  identity  theft  that  may  result  from  data  breaches,  or  to  mitigate  the 
extent  of  the  damage  resulting  from  breach-related  identity  theft.  Congress  may  wish  to  consider 
whether  to  strengthen  data  breach  notification  requirements.  Such  requirements  could  affect  both 
the  notification  of  the  relevant  law  enforcement  authorities  as  well  as  the  notification  of  the 
individual  whose  personally  identifiable  information  may  be  at  risk  from  the  breach. 


42  U.S.C.  §  13925 

**  U.S.  Government  Accountability  Office,  Social  Security  Numbers:  Use  is  Widespread  and  Protection  Could  be 
Improved,  GAO-07-1023T,  June  21,  2007,  pp.  12-13,  http://www.gao.gov/new.items/d071023t.pdf. 

Ibid.  Legislation  (S.  1618)  has  been  introduced  in  the  111*  Congress  that  would  require  the  Commissioner  of  Social 
Security  to  issue  standards  for  truncating  SSNs. 

**  Legislation  (H.R.  122,  S.  141,  Protecting  the  Privacy  of  Social  Security  Numbers  Act  of  2009)  has  been  introduced 
in  the  111*  Congress  that  would  grant  this  rulemaking  authority  to  the  Attorney  General,  in  conjunction  with  the 
Chairman  of  the  FTC  and  Commissioner  of  the  SSA. 

Synovate,  Federal  Trade  Commission:  2006  Identity  Theft  Survey  Report,  November  2007,  http://www.ftc.gov/os/ 
2007/1 1/S  ynovateFinalReportIDTheft2006.pdf. 

Gary  R.  Gordon,  Donald  J.  Rebovich,  and  Kyung-Seok  Choo,  et  ah.  Identity  Fraud  Trends  and  Patterns:  Building  a 
Data-Based  Foundation  for  Proactive  Enforcement,  Center  for  Identity  Management  and  Information  Protection,  Utica 
College,  OJP,  BJA  Grant  No.  2006-DD-BX-K086,  October  2007,  http://www.utica.edu/academic/institutes/ecii/ 
publications/media/cimip_id_theft_study_oct_22_noon.pdf 
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Proponents  of  increasing  breach  notification  requirements  point  to  research  on  recent  trends  in  the 
frequency  of  identity  theft  and  the  resulting  monetary  loss.  As  mentioned  earlier,  the  sooner 
people  become  aware  that  they  are  victims  of  identity  theft,  the  faster  they  take  compensatory 
steps  to  mitigate  the  damage. Proponents  also  argue  that  placing  enhanced  reporting 
requirements  on  industries  may  influence  businesses  to  increase  their  data  security  standards, 
which  could,  in  effect,  decrease  data  breaches  and  any  possibly  resulting  identity  theft.  On  the 
other  hand,  opponents  of  increasing  notification  requirements  point  to  research  suggesting  that 
the  percentage  of  data  breaches  that  result  in  identity  theft  could  be  less  than  1%,  as  previously 
discussed.®^  Opponents  may  then  argue  that  the  costs  that  businesses  could  incur  from  increased 
notification  (in  terms  of  dollars  and  personnel  time)  could  thus  exceed  the  costs  incurred  by 
potential  identity  theft  victims  from  the  small  proportion  of  data  breaches  that  may  actually  result 
in  identity  theft. 

In  addition  to  strengthening  post-breach  notification  requirements,  another  policy  option  aimed  at 
decreasing  data  breach-related  identity  theft  involves  strengthening  data  security.  Several  options 
to  reduce  the  availability  of  personally  identifiable  information  were  discussed  in  the  preceding 
section.  However,  a  broader  data  security  issue  concerns  overall  information  security.  Because 
many  incidents  of  identity  theft  may  occur  over  the  Internet,  enhancing  cyber  security  measures 
could  reduce  the  incidents  of  identity  theft. 


Deterrence  and  Punishment 

As  mentioned,  identity  theft  is  broadly  defined  in  current  law.  This  is  in  part  because  it  is  a 
facilitating  crime,  and  the  criminal  act  of  stealing  someone’s  identity  often  does  not  end  there. 
Consequently,  investigating  and  prosecuting  identity  theft  often  involves  investigating  and 
prosecuting  a  number  of  related  crimes.  In  light  of  this  interconnectivity,  the  President’s  Identity 
Theft  Task  Force  recommended  expanding  the  list  of  predicate  offenses  for  aggravated  identity 
theft,  as  discussed  earlier.  The  Task  Force  specifically  suggested  adding  identity  theft-related 
crimes  such  as  mail  theft,^®  counterfeit  securities, and  tax  fraud. However,  the  Task  Force  did 
not  cite  specific  data  to  support  the  claim  that  these  specifically  mentioned  crimes  are  in  fact 
those  most  often  related  to  (either  facilitating  or  facilitated  by)  identity  theft.  If  Congress 


Javelin  Strategy  &  Research,  “Latest  Javelin  Research  Shows  Identity  Fraud  Increased  22  Percent,  Affecting  Nearly 
Ten  Million  Americans:  But  Consumer  Costs  Fell  Sharply  hy  31  Percent,”  press  release,  Fehruary  9,  2009, 
http://www.javelinstrategy.eom/2009/02/09/latest-javelin-research-shows-identity-fraud-increased-22-percent- 
affecting-nearly-ten-million-ameiicans-hut-consumer-costs-fell-sharply-hy-31-percent/. 

Sasha  Romanosky,  Rahul  Telang,  and  Alessandro  Acquisti,  “Do  Data  Breach  Disclosure  Laws  Reduce  Identity 
Theft?,”  Seventh  Workshop  on  the  Economics  of  Information  Security,  Center  for  Digital  Strategies,  Tuck  School  of 
Business,  Dartmouth  College,  Hanover,  NH,  June  25,  2008,  http://weis2008.econinfosec.org/papers/Romanosky.pdf. 

Findings  from  Javelin  Strategy  &  Research  cited  in  Ben  Worthen,  “Cardholders  Buy  Peace  of  Mind,  If  Not 
Security,”  The  Wall  Street  Journal,  March  10,  2009,  p.  Dl. 

A  complete  discussion  of  relevant  cyher  security  issues  is  outside  the  scope  of  this  repoil.  However,  see  CRS  Report 
R40427,  Comprehensive  National  Cybersecurity  Initiative:  Legal  Authorities  and  Policy  Considerations,  hy  John 
Rollins  and  Anna  C.  Henning  for  a  discussion  of  current  issues  in  cyher  security. 

The  President’s  Identity  Theft  Task  Force,  Combating  Identity  Theft:  A  Strategic  Plan,  April  23,  2007,  at 
http://www.identitytheft.gov/reports/StrategicPlan.pdf. 

18U.S.C.  §  1708. 

18U.S.C.  §  513. 

26  U.S.C.  §  7201,  7206-7207. 
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considers  expanding  the  list  of  predicate  offenses  for  aggravated  identity  theft,  it  may  request  that 
the  U.S.  Attorneys  as  well  as  the  appropriate  investigative  agencies  (e.g.,  FBI,  USSS,  ICE,  and 
USPIS)  provide  a  report  detailing  the  relationship  between  identity  theft  and  other  federal  crimes 
not  yet  codified  as  predicate  offenses.  A  second  question  that  Congress  may  raise  if  it  considers 
expanding  the  list  of  predicate  offenses  regards  which  identity  theft-related  crimes  may  most 
affect  national  priorities  such  as  economic  health  and  national  security. 

The  increase  in  consumer  complaints  to  the  FTC  (as  illustrated  in  Figure  2),  as  well  as  the 
increase  in  the  number  of  identity  theft  and  aggravated  identity  theft  prosecutions  and  convictions 
(as  illustrated  in  Figure  3),  suggests  an  increase  in  identity  theft  prevalence.  Not  only  is  the 
number  of  incidents  increasing,  but  the  scope  of  the  victims  is  as  well;  identity  thieves  target 
individuals  as  well  as  organizations.  The  Task  Force  cites  “phishing”  as  a  means  by  which 
identity  thieves  assume  the  identity  of  a  corporation  or  organization  in  order  to  solicit  personally 
identifiable  information  from  individuals.^^  For  reasons  such  as  this,  the  Task  Force 
recommended  that  Congress  clarify  the  identity  theft  and  aggravated  identity  theft  statutes  to 
cover  both  individuals  and  organizations  targeted  by  identity  thieves. 


Selected  Legislation  in  the  111*^  Congress 

Several  pieces  of  legislation  have  been  introduced  in  the  111*  Congress  addressing  the  growing 
trends  in  identity  theft.  The  proposals  would  provide  for  measures  that  may  safeguard  information 
and  persons  possibly  at  risk  for  identity  theft. 


Social  Security  Numbers 

Fegislation  has  been  proposed  to  secure  social  security  numbers  (SSNs)  as  well  as  to  minimize 
the  public  availability  of  these  numbers.  Proposal  include  securing  social  security  cards  by 
requiring  that  social  security  cards  be  made  of  tamper-proof  material,  including  a  digital  image  of 
the  individual  to  whom  the  card  and  number  belong,  and  including  encrypted  biometric  identifiers 
of  the  cardholder.  ™  Other  proposals  would  prohibit  the  display  of  SSNs  on  Medicare,  Medicaid, 
or  Children’s  Health  Insurance  Plan  (CHIP)  identification  cards or  would  require  the  Secretary 
of  Health  and  Human  Services  to  replace  SSNs  as  personal  identifiers  for  Medicare  beneficiaries 
with  an  alternate  identifier.  Still  others  would  provide  the  Commissioner  of  Social  Security  the 
authority  to  set  standards  for  truncating  SSNs'°^  or  to  issue  new  SSNs  to  children  whose  SSNs 
have  been  stolen. 

Fegislation  has  also  been  introduced  that  would  require  the  Attorney  General  and  the  Comptroller 
General  to  report  to  Congress  on  the  uses  of  social  security  numbers  as  well  as  the  prevalence  of 


The  President’s  Identity  Theft  Task  Force,  Combating  Identity  Theft:  A  Strategic  Plan,  Apr.  23,  2007,  pp.  91-92,  at 
http://www.identitytheft.gov/reports/StrategicPlan.pdf 

See,  for  example,  the  Social  Security  Identity  Theft  Prevention  Act  (H.R.  50). 

See  the  Identity  Protection  Act  of  2009  (H.R.  2417). 

See,  for  example,  the  Seniors  and  Taxpayers  Obligation  Protection  Act  of  2009  (S.  975). 

See  the  Safeguarding  Social  Security  Numbers  Act  of  2009  (S.  1618). 

See  the  Young  Children  Social  Security  Number  Protection  Act  of  2009  (H.R.  2706). 
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social  security  numbers  in  public  records.  Policymakers  have  also  suggested  criminalizing  the 
display,  sale,  or  purchase  of  SSNs  without  consent  from  the  individual,  prohibiting  the  use  of 
SSNs  on  government- issued  payment  checks,  and  banning  inmate  access  to  SSNs.*°® 

Policymakers  have  also  proposed  legislation  to  facilitate  federal  agency  sharing  of  social  security 
data  in  order  to  prevent  identity  theft.  Suggested  measures  would  include  requiring  the 
Commissioner  of  Social  Security  to  provide  the  Secretary  of  Homeland  Security  with  the 
personally  identifiable  information  of  individuals  in  the  instance  that  the  Commissioner 
determines  that  a  SSN  has  been  used  with  multiple  names. 


Law  Enforcement  and  Consumer  Notification 

Legislation  introduced  in  the  111*  Congress  would  enhance  both  law  enforcement  and  consumer 
notification  of  suspected  identity  theft.  For  example,  some  proposals  would  require  consumer 
reporting  agencies  to  report  suspected  identity  theft  to  the  U.S.  Secret  Service  and  the  Attorney 
General,  as  well  as  require  the  Secret  Service  to  report  identity  theft  to  the  Federal  Bureau  of 
Investigation  or  the  Department  of  Homeland  Security  if  there  are  suspected  terrorism  or 
immigration  elements. Other  proposals  would  require  the  Secretary  of  the  Treasury  to  notify 
taxpayers  of  suspected  identity  theft or  would  require  the  Commissioner  of  Social  Security  to 
report  suspected  identity  theft  to  the  individual  at  risk  as  well  as  to  the  appropriate  law 
enforcement  authorities.  Still  others  would  require  the  agency  or  business  entity  wherein  the 
breach  occurred  to  notify  individuals  whose  personally  identifiable  information  may  have  been 
compromised.*'' 
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^  See,  for  example,  the  Protecting  the  Privacy  of  Social  Security  Numbers  Act  (H.R.  122,  S.  141). 

Ibid.  See  also  the  Social  Security  Number  Privacy  and  Identity  Theft  Prevention  Act  of  2009  (H.R.  3306). 

See,  for  example,  the  Social  Security  Fraud  and  Identity  Theft  Prevention  Act  (H.R.  2472). 

See,  for  example,  the  Credit  Agencies  Identity  Theft  Responsibilities  Act  of  2009  (H.R.  123). 

See  S.  1 1 19,  a  bill  to  amend  the  Internal  Revenue  Code  of  1986  to  provide  taxpayer  notification  of  suspected 
identity  theft. 

See,  for  example,  the  Identity  Theft  Notification  Act  of  2009  (H.R.  133). 

See  the  Personal  Data  Privacy  and  Security  Act  of  2009  (S.  1490)  as  well  as  the  Data  Breach  Notification  Act  (S. 
139). 
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